-
Notifications
You must be signed in to change notification settings - Fork 207
Detection Level Tuning
DustInDark edited this page Apr 21, 2022
·
1 revision
Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules.
However, the actual risk level will differ between environments.
You can tune the risk level of the rules by adding them to ./rules/config/level_tuning.txt and executing hayabusa.exe --level-tuning which will update the level line in the rule file.
Please note that the rule file will be updated directly.
./rules/config/level_tuning.txt sample line:
id,new_level
00000000-0000-0000-0000-000000000000,informational # sample level tuning line
In this case, the risk level of the rule with an id of 00000000-0000-0000-0000-000000000000 in the rules directory will have its level rewritten to informational.