Delete Indicators Automatically

Analysts can create deletion rules to define filtering criteria for the flow of indicators generated by Cytomic Orion. When an indicator that matches the criteria defined for a deletion rule is detected, it is assigned the status Deleted and removed from the list of indicators. Indicators marked as Deleted are temporarily moved to the recycle bin, although if an indicator was previously assigned to an investigation, it is not removed from it.

Indicators marked as Deleted are held in the recycle bin for seven days. After that time, they are permanently removed from Cytomic Orion.

Add a Deletion Rule

You create deletion rules from a single indicator. Before you begin the process to create a rule, make sure that only one indicator is selected in the list.

  • In the top menu, select Indicators. Select an indicator by using the relevant checkbox.

  • In the toolbar, select Add automatic deletion rule (4). A dialog box opens that shows information about the indicator you want to delete.

Or

  • Click the context menu (2) next to the checkbox or right-click any of the indicator’s fields to open the drop-down menu. Select Add automatic deletion rule.

  • Fill in the fields for the deletion rule:

    • Name: Name of the deletion rule.

    • Description: Text field where the analyst can specify the reasons for deleting indicators.

  • Fill in the fields that describe the indicators you want to delete:

    • Client ID: Specify the client IDs associated with the indicators you want to delete. All deletion rules must have at least one associated client. Click the icon to select the clients, or copy and paste a list of client IDs separated by commas.

    • Hunting Rule: This is the name of the hunting rule that generated the indicators you want to delete. This is an optional field.

    • MUID: Specify the computer IDs associated with the indicators you want to delete. Click the icon to select the MUIDs, or copy and paste a list of MUIDs separated by commas. This is an optional field.

    • Computer: Specify the names of the computers where the indicators you want to delete originated. Click the icon to select the computers, or copy and paste a list of computer names separated by commas. This is an optional field.

    • Details: Specify the Details field for the indicators you want to delete. You can determine the exact content of the field with the Equals option, or flexibly with a regular expression by using the RegEx option. For more information, see Manage Deletion Rules.

By default, deletion rules are created as restrictively as possible, and it is up to analysts to disable the optional fields they deem unnecessary in order to make the rule more flexible.

If you define multiple criteria for a deletion rule, the logical operator AND is used. This way, only those indicators that meet all the criteria set out in the deletion rule are filtered.

Regular Expressions

For more information about the syntax allowed in regular expressions, see https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference.
To validate the regular expressions created, see http://regexstorm.net/tester.

Cytomic Orion supports RegEx C to describe flexible patterns in the Details field of indicators. As with most languages used to describe character patterns, you must escape those characters considered special or belonging to the language itself. To this end, the “\” character is used in RegEx C.

To help with the development of regular expressions, there is a preview panel which enables you to check whether the patterns you want to search for match the regular expression as you write it.

To generate a regular expression, select the RegEx option from the drop-down menu in the Details field. The content of the field updates with a regular expression that meets the content of the preview panel. All the special characters are escaped automatically by the console to make it easier for the analyst to edit the regular expression.

Example of Exclusion Created by Using Regular Expressions in the Details Field

You want to remove from the Indicators panel all executions of the net.exe tool when it tries to add the “gcch\GG_SEC_IBM_PC_Admins” user to the administrators group, because it is a frequent action but risk free.

The indicator generated by Cytomic Orion in this situation is this:

{

“contents”:

[

{

“ChildPath”: “SYSTEM|\net.exe”,

“CommandLine”: “net localgroup administrators “gcch\GG_SEC_IBM_PC_Admins” /add”,

“ParentPath”: “SYSTEM|\cmd.exe”,

“extendedInfo”:“”,

“loggedUser”: “NT AUTHORITY\SYSTEM”

}

]

}

The indicator is shown in a compact format in the Details field of the Cytomic Orion console:

{“contents”:[{“ChildPath”:“SYSTEM|\net.exe”,“CommandLine”:“net localgroup administrators “gcch\GG_SEC_IBM_PC_Admins /add”,“ParentPath”:“SYSTEM|\cmd.exe”,”extendedInfo”:“”,“loggedUser”: “NT AUTHORITY\SYSTEM”}]}

The regular expression that filters indicators by the content of the Details field according to the criteria established by the analyst would be:

{"ChildPath":"SYSTEM\|\\net.exe".+gcch\\GG_SEC_IBM_PC_Admins

The preview panel enables you to verify that the regular expression defined generates the character pattern that matches the content of the indicator’s Details field.