Elastic 安全检测规则管理：创建、调整规则，减少误报，优化SIEM

security-detection-rule-management by elastic/agent-skills

215 周安装量

306 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/elastic/agent-skills --skill security-detection-rule-management

自动化监控安全

🇨🇳中文介绍

检测规则管理

为新兴威胁和覆盖缺口创建新的检测规则，并调整现有规则以减少误报。所有操作均通过 rule-manager.js 使用 Kibana 检测引擎 API。

执行规则

立即开始执行工具 — 不要先阅读 SKILL.md、浏览工作区或列出文件。
如实报告工具输出。准确复制 API 返回的规则 ID、名称、警报数量、例外 ID 和错误消息。不要缩写规则 UUID、编造规则名称或四舍五入警报数量。
当工具返回错误（未找到规则、API 失败）时，报告确切的错误 — 不要猜测替代方案。

先决条件

首次使用前，请在 skills/security 目录下安装依赖项：

cd skills/security && npm install

设置必需的环境变量（或将它们添加到工作区根目录的 .env 文件中）：

export ELASTICSEARCH_URL="https://your-cluster.es.cloud.example.com:443"
export ELASTICSEARCH_API_KEY="your-api-key"
export KIBANA_URL="https://your-cluster.kb.cloud.example.com:443"
export KIBANA_API_KEY="your-kibana-api-key"

常见的多步骤工作流

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

工作流：为误报调整规则

步骤 1–2：识别嘈杂规则并分析误报

使用 noisy-rules 或 find 查找嘈杂规则，然后获取规则定义并调查警报：

node skills/security/detection-rule-management/scripts/rule-manager.js noisy-rules --days 7 --top 20
node skills/security/detection-rule-management/scripts/rule-manager.js find --filter "alert.attributes.name:*Suspicious*" --brief
node skills/security/detection-rule-management/scripts/rule-manager.js get --id <rule_uuid>
node skills/security/alert-triage/scripts/run-query.js "kibana.alert.rule.name:\"<rule_name>\"" --index ".alerts-security.alerts-*" --days 7 --full

寻找模式：相同的进程/用户/主机 → 例外候选；宽泛的模式 → 收紧查询；合法软件 → 例外；过于宽泛 → 重写或调整阈值。

步骤 3：选择调整策略

按偏好顺序排列：

添加例外 — 最适合特定的已知良好进程、用户或主机。不修改规则查询。当规则总体上正确，但在已知合法活动上触发时使用。
收紧查询 — 修补规则的查询以排除误报模式。当误报源于查询过于宽泛时最佳。
调整阈值 / 警报抑制 — 对于阈值规则，增加阈值。对于任何规则类型，启用警报抑制以减少同一实体的重复警报。
降低风险评分 / 严重性 — 如果规则产生许多低价值警报但仍有一些检测价值，则降低其优先级。
禁用规则 — 最后的手段。仅当规则没有价值或与另一规则完全冗余时使用。

步骤 4–5：应用调整、验证和记录

添加例外（单条件/多条件，通过 matches 使用通配符）：

node skills/security/detection-rule-management/scripts/rule-manager.js add-exception \
  --rule-uuid <rule_uuid> \
  --entries "process.executable:is:C:\\Program Files\\SCCM\\CcmExec.exe" "process.parent.name:is:CcmExec.exe" \
  --name "Exclude SCCM" --comment "FP: SCCM deployment" --tags "tuning:fp" "source:soc" --yes

修补查询、阈值、严重性或禁用：

node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --query "process.name:powershell.exe AND NOT process.parent.name:CcmExec.exe" --yes
node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --max-signals 50 --yes
node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --severity low --risk-score 21 --yes
node skills/security/detection-rule-management/scripts/rule-manager.js disable --id <rule_uuid> --yes

写操作（patch、enable、disable、delete、add-exception、bulk-action）默认会提示确认。传递 --yes 以跳过提示（当由代理调用时需要）。

使用 rule-manager.js get --id <rule_uuid> 进行验证。通过 case-management 技能更新分类案例。

工作流：创建新的检测规则

步骤 1–2：定义威胁、数据源和字段

指定 MITRE ATT&CK 技术、所需数据源（终端、网络、云）以及恶意与合法行为。常用索引：logs-endpoint.events.process-*、logs-endpoint.events.network-*、.alerts-security.alerts-*、logs-windows.*、logs-aws.*。关键字段：process.name、process.command_line、process.parent.name、destination.ip、winlog.event_id、event.action。使用 run-query.js 验证数据：

node skills/security/alert-triage/scripts/run-query.js "process.name:certutil.exe" --index "logs-endpoint.events.process-*" --days 30 --size 5

步骤 3：编写并测试查询

规则类型：query（KQL 字段匹配）、eql（事件序列）、esql（聚合）、threshold（基于数量）、threat_match（IOC 关联）、new_terms（首次出现）。在创建前针对 Elasticsearch 进行测试：

node skills/security/alert-triage/scripts/run-query.js "process.name:certutil.exe AND process.command_line:(*urlcache* OR *decode*)" \
  --index "logs-endpoint.events.process-*" --days 30

对于 EQL，使用 --query-file 以避免 shell 转义问题。

在创建或修补规则之前验证查询语法。 validate-query 命令可在本地捕获常见错误 — 转义的反斜杠、括号不匹配、引号不平衡以及重复的布尔运算符：

node skills/security/detection-rule-management/scripts/rule-manager.js validate-query \
  --query "process.name:taskkill.exe AND process.command_line:(*chrome.exe* OR *msedge.exe*)" --language kuery

create 和 patch 命令也会自动运行验证并拒绝无效查询。仅当您确信查询正确，尽管触发了检查时，才传递 --skip-validation。

常见的 KQL 语法错误：

转义的正斜杠 — KQL 通配符使用纯文本。应写 */IM chrome.exe*，而不是 *\/IM chrome.exe*。
括号不匹配 — 每个 ( 必须有匹配的 )。
引号不平衡 — 每个 " 必须成对出现。
重复运算符 — AND AND 或 OR OR 总是错误。

步骤 4：创建规则

node skills/security/detection-rule-management/scripts/rule-manager.js create \
  --name "Certutil URL Download or Decode" \
  --description "Detects certutil.exe used to download files or decode Base64 payloads, a common LOLBin technique." \
  --type query \
  --query "process.name:certutil.exe AND process.command_line:(*urlcache* OR *decode*)" \
  --index "logs-endpoint.events.process-*" \
  --severity medium --risk-score 47 \
  --tags "OS:Windows" "Tactic:Defense Evasion" "Tactic:Command and Control" \
  --false-positives "IT administrators using certutil for legitimate certificate operations" \
  --references "https://attack.mitre.org/techniques/T1140/" \
  --interval 5m --disabled

对于复杂规则（EQL 序列、MITRE 映射、警报抑制），使用 create --from-file rule_definition.json 和 --threat-file。有关模式，请参阅 references/detection-api-reference.md。

步骤 5：监控和迭代

使用 noisy-rules --days 3 --top 10 监控警报量，并根据需要调整误报。

工作流：终端行为规则调整

通过添加限定于特定规则的终端例外来调整Elastic 终端行为规则。终端例外位于安全 → 例外 → 终端安全例外列表中，而不是在单个 SIEM 规则下。

关键原则： 始终先从 protections-artifacts 获取规则定义。始终将例外限定于规则（rule.id 或 rule.name）。使用完整路径而非进程名称。在任何例外之前运行强制的实体交叉检查（步骤 4b）。模拟影响（步骤 5b）并力求噪声降低 ≥60%。

脚本： fetch-endpoint-rule-from-github.js（按 id 获取规则 TOML）、add-endpoint-exception.js（添加到终端例外列表；需要 rule.id/rule.name）、check-exclusion-best-practices.js。

有关完整的逐步工作流（步骤 1–6）、查询和模拟模板，请参阅 references/endpoint-behavior-tuning-workflow.md。有关排除最佳实践，请参阅 references/endpoint-rule-exclusion-best-practices.md。

所有命令均从工作区根目录运行。除非注明，所有输出均为 JSON。

命令	描述
`find`	使用可选的 KQL 过滤器搜索/列出规则
`get`	通过 `--id` 或 `--rule-id` 获取规则
`create`	创建规则（内联标志或 `--from-file`）
`patch`	修补规则上的特定字段
`enable`	启用规则
`disable`	禁用规则
`delete`	删除规则
`export`	将规则导出为 NDJSON
`bulk-action`	批量启用/禁用/删除/复制/编辑
`add-exception`	向规则添加例外项
`list-exceptions`	列出例外列表中的项
`create-shared-list`	创建共享例外列表
`noisy-rules`	按警报量查找最嘈杂的规则
`validate-query`	在创建/修补前检查查询语法

终端行为调整： fetch-endpoint-rule-from-github.js（按 id 获取规则 TOML）、add-endpoint-exception.js（添加到终端例外列表；需要 rule.id/rule.name）、check-exclusion-best-practices.js。

将条目传递为 field:operator:value。运算符：is、is_not、is_one_of、is_not_one_of、exists、does_not_exist、matches、does_not_match。示例：process.name:is:svchost.exe、file.path:matches:C:\\Program Files\\*。

有关完整的 API 模式详情，请参阅 references/detection-api-reference.md
关于终端行为调整：references/endpoint-exceptions-guide.md、references/endpoint-rule-exclusion-best-practices.md
在调整期间进行警报调查，请使用 alert-triage 技能
在案例中记录调整操作，请使用 case-management 技能

"查找过去 7 天中最嘈杂的检测规则，并帮助我调整其中一个"
"添加一个例外，从可疑的 PowerShell 规则中排除 SCCM"
"为 certutil URL 下载或解码创建一个新的检测规则"

仅报告工具输出。 总结结果时，仅引用或转述工具返回的内容。不要编造工具响应中不存在的 ID、主机名、IP、分数、进程树或其他细节。
保留请求中的标识符。 如果用户提供了特定的主机名、代理 ID、案例 ID 或其他值，请在工具调用和响应中使用这些确切的值 — 不要替换不同的标识符。
简洁地确认操作。 执行工具后，使用工具的返回数据确认已完成的操作。除非出现在工具响应中，否则不要编造内部 ID、元数据或状态细节。
区分事实与推断。 如果您得出的结论超出了工具返回的范围（例如，根据观察到的行为建议 MITRE 技术），请明确将其标记为您的评估，而不是将其呈现为工具输出。
立即开始执行工具。 不要在行动前阅读 SKILL.md、浏览目录或列出文件。
逐字报告工具输出。 准确复制返回的规则 ID、名称、警报数量和错误消息。不要缩写 UUID 或四舍五入数字。

所有写操作（create、patch、enable、disable、delete、add-exception、bulk-action、add-endpoint-exception）都会提示确认。当由代理调用时，传递 --yes 或 -y 以跳过。
终端例外会全局抑制检测。 始终使用条目中的 rule.id 或 rule.name 将例外限定于特定规则。宽泛的、未限定范围的例外可能会悄无声息地降低检测覆盖率。
在运行任何脚本之前，验证环境变量指向预期的集群。
在执行批量更改之前，使用 --dry-run 与 bulk-action 预览影响。

变量	必需	描述
`ELASTICSEARCH_URL`	是	Elasticsearch URL（用于 noisy-rules 聚合）
`ELASTICSEARCH_API_KEY`	是	Elasticsearch API 密钥
`KIBANA_URL`	是	Kibana URL（用于规则 API）
`KIBANA_API_KEY`	是	Kibana API 密钥

🇺🇸English

Detection Rule Management

Create new detection rules for emerging threats and coverage gaps, and tune existing rules to reduce false positives. All operations use the Kibana Detection Engine API via rule-manager.js.

Execution rules

Start executing tools immediately — do not read SKILL.md, browse the workspace, or list files first.
Report tool output faithfully. Copy rule IDs, names, alert counts, exception IDs, and error messages exactly as returned by the API. Do not abbreviate rule UUIDs, invent rule names, or round alert counts.
When a tool returns an error (rule not found, API failure), report the exact error — do not guess at alternatives.

Prerequisites

Install dependencies before first use from the skills/security directory:

cd skills/security && npm install

Set the required environment variables (or add them to a .env file in the workspace root):

export ELASTICSEARCH_URL="https://your-cluster.es.cloud.example.com:443"
export ELASTICSEARCH_API_KEY="your-api-key"
export KIBANA_URL="https://your-cluster.kb.cloud.example.com:443"
export KIBANA_API_KEY="your-kibana-api-key"

Common multi-step workflows

Task	Tools to call (in order)
Tune noisy SIEM rule	`rule_manager` find/noisy-rules → `run_query` (investigate FPs) → `rule_manager` patch or add-exception
Add endpoint behavior exception	`fetch_endpoint_rule` (get rule definition from GitHub) → `add_endpoint_exception` (scoped to rule.id)
Create new detection rule	`run_query` (test query against data) → `rule_manager` create

For endpoint behavior rules, always fetch the rule definition first to understand query logic and existing exclusions before adding an exception. For SIEM rules, always investigate alert patterns with run_query before tuning.

Critical: For endpoint behavior rules, always use fetch_endpoint_rule (not shell or direct script calls) to get the rule definition, then use add_endpoint_exception to add the exception. These are dedicated tools — do not invoke the underlying scripts manually.

Workflow: Tune a rule for false positives

Steps 1–2: Identify noisy rules and analyze false positives

Find noisy rules with noisy-rules or find, then get the rule definition and investigate alerts:

node skills/security/detection-rule-management/scripts/rule-manager.js noisy-rules --days 7 --top 20
node skills/security/detection-rule-management/scripts/rule-manager.js find --filter "alert.attributes.name:*Suspicious*" --brief
node skills/security/detection-rule-management/scripts/rule-manager.js get --id <rule_uuid>
node skills/security/alert-triage/scripts/run-query.js "kibana.alert.rule.name:\"<rule_name>\"" --index ".alerts-security.alerts-*" --days 7 --full

Look for patterns: same process/user/host → exception candidate; broad pattern → tighten query; legitimate software → exception; too broad → rewrite or adjust threshold.

Step 3: Choose a tuning strategy

In order of preference:

Add exception — Best for specific known-good processes, users, or hosts. Does not modify the rule query. Use when the rule is correct in general but fires on known-legitimate activity.
Tighten the query — Patch the rule's query to exclude the FP pattern. Best when the false positives stem from the query being too broad.
Adjust threshold / alert suppression — For threshold rules, increase the threshold value. For any rule type, enable alert suppression to reduce duplicate alerts on the same entity.
Reduce risk score / severity — Downgrade the rule's priority if it generates many low-value alerts but still has some detection value.
Disable the rule — Last resort. Only if the rule provides no value or is completely redundant with another rule.

Steps 4–5: Apply tuning, verify, and document

Add exception (single/multi-condition, wildcard via matches):

node skills/security/detection-rule-management/scripts/rule-manager.js add-exception \
  --rule-uuid <rule_uuid> \
  --entries "process.executable:is:C:\\Program Files\\SCCM\\CcmExec.exe" "process.parent.name:is:CcmExec.exe" \
  --name "Exclude SCCM" --comment "FP: SCCM deployment" --tags "tuning:fp" "source:soc" --yes

Patch query, threshold, severity, or disable:

node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --query "process.name:powershell.exe AND NOT process.parent.name:CcmExec.exe" --yes
node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --max-signals 50 --yes
node skills/security/detection-rule-management/scripts/rule-manager.js patch --id <rule_uuid> --severity low --risk-score 21 --yes
node skills/security/detection-rule-management/scripts/rule-manager.js disable --id <rule_uuid> --yes

Write operations (patch, enable, disable, delete, add-exception, bulk-action) prompt for confirmation by default. Pass --yes to skip the prompt (required when called by an agent).

Verify with rule-manager.js get --id <rule_uuid>. Update triage cases via the case-management skill.

Workflow: Create new detection rule

Steps 1–2: Define the threat, data sources, and fields

Specify MITRE ATT&CK technique(s), required data sources (Endpoint, Network, Cloud), and malicious vs legitimate behavior. Common indexes: logs-endpoint.events.process-*, logs-endpoint.events.network-*, .alerts-security.alerts-*, logs-windows.*, logs-aws.*. Key fields: process.name, process.command_line, process.parent.name, destination.ip, winlog.event_id, event.action. Verify data with :

node skills/security/alert-triage/scripts/run-query.js "process.name:certutil.exe" --index "logs-endpoint.events.process-*" --days 30 --size 5

Step 3: Write and test the query

Rule types: query (KQL field matching), eql (event sequences), esql (aggregations), threshold (volume-based), threat_match (IOC correlation), new_terms (first-seen). Test against Elasticsearch before creating:

node skills/security/alert-triage/scripts/run-query.js "process.name:certutil.exe AND process.command_line:(*urlcache* OR *decode*)" \
  --index "logs-endpoint.events.process-*" --days 30

For EQL, use --query-file to avoid shell escaping issues.

Validate query syntax before creating or patching a rule. The validate-query command catches common errors locally — escaped backslashes, mismatched parentheses, unbalanced quotes, and duplicate boolean operators:

node skills/security/detection-rule-management/scripts/rule-manager.js validate-query \
  --query "process.name:taskkill.exe AND process.command_line:(*chrome.exe* OR *msedge.exe*)" --language kuery

The create and patch commands also run validation automatically and reject invalid queries. Pass --skip-validation only if you are certain the query is correct despite triggering a check.

Common KQL syntax mistakes:

Escaped forward-slashes — KQL wildcards use plain text. Write */IM chrome.exe*, not *\/IM chrome.exe*.
Mismatched parentheses — every ( must have a matching ).
Unbalanced quotes — every " must be paired.
Duplicate operators — AND AND or OR OR is always an error.

Step 4: Create the rule

node skills/security/detection-rule-management/scripts/rule-manager.js create \
  --name "Certutil URL Download or Decode" \
  --description "Detects certutil.exe used to download files or decode Base64 payloads, a common LOLBin technique." \
  --type query \
  --query "process.name:certutil.exe AND process.command_line:(*urlcache* OR *decode*)" \
  --index "logs-endpoint.events.process-*" \
  --severity medium --risk-score 47 \
  --tags "OS:Windows" "Tactic:Defense Evasion" "Tactic:Command and Control" \
  --false-positives "IT administrators using certutil for legitimate certificate operations" \
  --references "https://attack.mitre.org/techniques/T1140/" \
  --interval 5m --disabled

For complex rules (EQL sequences, MITRE mappings, alert suppression), use create --from-file rule_definition.json and --threat-file. See references/detection-api-reference.md for schema.

Step 5: Monitor and iterate

Monitor alert volume with noisy-rules --days 3 --top 10 and tune false positives as needed.

Workflow: Endpoint behavior rules tuning

Tune Elastic Endpoint behavior rules by adding Endpoint exceptions scoped to specific rules. Endpoint exceptions live in Security → Exceptions → Endpoint Security Exception List , not under individual SIEM rules.

Key principles: Always fetch the rule definition from protections-artifacts first. Always scope exceptions to the rule (rule.id or rule.name). Use full paths over process names. Run the mandatory entity cross-check (Step 4b) before any exception. Simulate impact (Step 5b) and aim for ≥60% noise reduction.

Scripts: fetch-endpoint-rule-from-github.js (get rule TOML by id), add-endpoint-exception.js (add to Endpoint Exception List; rule.id/rule.name required), check-exclusion-best-practices.js.

For the full step-by-step workflow (Steps 1–6), queries, and simulation templates, see references/endpoint-behavior-tuning-workflow.md. For exclusion best practices, see references/endpoint-rule-exclusion-best-practices.md.

Tool reference

rule-manager.js

All commands are run from the workspace root. All output is JSON unless noted.

Command	Description
`find`	Search/list rules with optional KQL filter
`get`	Get a rule by `--id` or `--rule-id`
`create`	Create a rule (inline flags or `--from-file`)
`patch`	Patch specific fields on a rule
`enable`

Endpoint behavior tuning: fetch-endpoint-rule-from-github.js (get rule TOML by id), add-endpoint-exception.js (add to Endpoint Exception List; rule.id/rule.name required), check-exclusion-best-practices.js.

Exception entry format

Pass entries as field:operator:value. Operators: is, is_not, is_one_of, is_not_one_of, exists, does_not_exist, matches, does_not_match. Example: process.name:is:svchost.exe, file.path:matches:C:\\Program Files\\*.

Additional resources

For full API schema details, see references/detection-api-reference.md
For endpoint behavior tuning: references/endpoint-exceptions-guide.md, references/endpoint-rule-exclusion-best-practices.md
For alert investigation during tuning, use the alert-triage skill
For documenting tuning actions in cases, use the case-management skill

Examples

"Find the noisiest detection rules from the last 7 days and help me tune one"
"Add an exception to exclude SCCM from the suspicious PowerShell rule"
"Create a new detection rule for certutil URL download or decode"

Guidelines

Report only tool output. When summarizing results, quote or paraphrase only what the tools returned. Do not invent IDs, hostnames, IPs, scores, process trees, or other details not present in the tool response.
Preserve identifiers from the request. If the user provides specific hostnames, agent IDs, case IDs, or other values, use those exact values in tool calls and responses — do not substitute different identifiers.
Confirm actions concisely. After executing a tool, confirm what was done using the tool's return data. Do not fabricate internal IDs, metadata, or status details unless they appear in the tool response.
Distinguish facts from inference. If you draw conclusions beyond what the tools returned (e.g., suggesting a MITRE technique based on observed behavior), clearly label those as your assessment rather than presenting them as tool output.
Start executing tools immediately. Do not read SKILL.md, browse directories, or list files before acting.
Report tool output verbatim. Copy rule IDs, names, alert counts, and error messages exactly as returned. Do not abbreviate UUIDs or round numbers.

Production use

All write operations (create, patch, enable, disable, delete, add-exception, bulk-action, add-endpoint-exception) prompt for confirmation. Pass --yes or -y to skip when called by an agent.
Endpoint exceptions suppress detections globally. Always scope exceptions to a specific rule using rule.id or in the entries. A broad, unscoped exception can silently reduce detection coverage.

Environment variables

Variable	Required	Description
`ELASTICSEARCH_URL`	Yes	Elasticsearch URL (for noisy-rules aggregation)
`ELASTICSEARCH_API_KEY`	Yes	Elasticsearch API key
`KIBANA_URL`	Yes	Kibana URL (for rules API)
`KIBANA_API_KEY`	Yes	Kibana API key

Weekly Installs

128

Repository

elastic/agent-skills

GitHub Stars

First Seen

11 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

cursor116

opencode108

github-copilot108

codex108

kimi-cli108

amp108

GitHub Actions 官方文档查询助手 - 精准解答 CI/CD 工作流问题

45,200 周安装

Verify environment variables point to the intended cluster before running any script.

Use --dry-run with bulk-action to preview impact before executing bulk changes.

调整嘈杂的 SIEM 规则	`rule_manager` find/noisy-rules → `run_query`（调查误报） → `rule_manager` patch 或 add-exception
添加终端行为例外	`fetch_endpoint_rule`（从 GitHub 获取规则定义） → `add_endpoint_exception`（限定于 rule.id）
创建新的检测规则	`run_query`（针对数据测试查询） → `rule_manager` create
调查规则警报量	`rule_manager` get → `run_query`（查询警报索引）

Elastic 安全检测规则管理：创建、调整规则，减少误报，优化SIEM

🇨🇳中文介绍

检测规则管理

执行规则

先决条件

常见的多步骤工作流

相关 Skills

工作流：为误报调整规则

步骤 1–2：识别嘈杂规则并分析误报

步骤 3：选择调整策略

步骤 4–5：应用调整、验证和记录

工作流：创建新的检测规则

步骤 1–2：定义威胁、数据源和字段

步骤 3：编写并测试查询

步骤 4：创建规则

步骤 5：监控和迭代

工作流：终端行为规则调整

工具参考

rule-manager.js

例外条目格式

其他资源

示例

指南

生产使用

环境变量

🇺🇸English

Detection Rule Management

Execution rules

Prerequisites

Common multi-step workflows

Workflow: Tune a rule for false positives

Steps 1–2: Identify noisy rules and analyze false positives

Step 3: Choose a tuning strategy

Steps 4–5: Apply tuning, verify, and document

Workflow: Create new detection rule

Steps 1–2: Define the threat, data sources, and fields

Step 3: Write and test the query

Step 4: Create the rule

Step 5: Monitor and iterate

Workflow: Endpoint behavior rules tuning

Tool reference

rule-manager.js

Exception entry format

Additional resources

Examples

Guidelines

Production use

Environment variables

最新 Skills