Rule Categories

Overview

Rule categories let you group stream rules and batch rules by attack type for easier management. Security operators can use categories to split detection policies by attack stage or threat nature, and can interpret results in Event Summary and Tickets using the same category criteria.

In Sonar 5, rule categories are managed separately as shared categories used by both stream rules and batch rules. For example, predefining categories such as Initial Access, Privilege Escalation, Command and Control, and Exfiltration makes it easier to manage the purpose of each rule and set response priorities.

When designing a category scheme for the first time, using MITRE ATT&CK tactics as a baseline lets you organize rules systematically by attack stage. The following table shows example category names that correspond to MITRE ATT&CK tactics.

CategoryMITRE ATT&CK Tactics
Initial AccessInitial Access
ExecutionExecution
PersistencePersistence
Privilege EscalationPrivilege Escalation
Defense EvasionDefense Evasion
Credential AccessCredential Access
DiscoveryDiscovery
Lateral MovementLateral Movement
CollectionCollection
Command and ControlCommand and Control
ExfiltrationExfiltration
ImpactImpact
ReconnaissanceReconnaissance

All users, including administrators, can view the list. Edit permission is required to add, edit, or delete categories.

Search Rule Categories

You can view or search rule categories in Policies > Rule Categories.

Rule category list

  • Category: Name of the rule category
  • Description: Description of the rule category
  • Modified At: Date the category was last modified

To find a specific rule category in the list, use the search tool in the toolbar. Results are filtered based on the keyword you enter.

The toolbar provides Add, Refresh, and Delete. This list does not support download.

Refresh Rule Category List

To refresh the rule category list with the latest information, click Refresh in the toolbar.

Add Rule Category

To add a rule category:

  1. Go to Policies > Rule Categories and click Add in the toolbar.

  2. In the New Rule Category panel, enter the following items and click Save.

    New rule category

    • Name: Rule category name (required, up to 50 characters)
    • Description: Rule category description (up to 1,000 characters)
Note
You cannot add a rule category if one with the same name already exists.

Edit Rule Category

To edit a rule category:

  1. In the rule category list, click the rule category you want to edit.
  2. In the Edit Rule Category panel, update the information and click Save.
Note
The edit screen layout is identical to the new rule category panel. Change the name and description, then save.

Delete Rule Category

To delete a rule category:

  1. In the rule category list, select the checkbox for the rule category you want to delete.
  2. Click Delete in the toolbar.
  3. In the Delete Rule Category dialog, review the selected rule categories and click Delete. To cancel, click Cancel.
Caution
Before deleting a rule category that is in use by a stream rule or batch rule, review the impact on the related rules.