Intezer's automated triage results can be customized using detection rules. These rules can apply to different artifacts and affect the overall verdict of alerts.
Creating a new rule
To create a new rule, navigate to the Detection Library page on the top right-hand side of your screen:
You can also click on artifacts in an existing alert to create a rule for them:
In the rule creation window, choose a template based on the verdict you would like the artifact to receive:
Next, choose the type of artifact you would like to define the rule for:
Choose a rule name based on your preference.
Under Patterns, choose the match type, and then add the pattern itself. This is the artifact that will be affected by this rule.
You can add additional patterns within the same rule.
To activate the rule, click on Create Rule. It will now be visible in your Detection Library:
For more information on the various options available, please review the tooltips in the rule creation window.
Rules can be revisited to be updated, changed, enabled or disabled.