Detection rules
Rules are JSON files grouped by MITRE-style category, for example:
execution.json— Shells, PowerShell patterns, ping, netstat, etc.discovery.json— Systeminfo, whoami, net user, tasklist, etc.persistence.json,defense_evasion.json,command_and_control.json, …
Each rule defines:
- Id, name, description, severity, enabled
- Conditions — Field, operator (
equals,contains,matches,in, …), value - Logic —
AND/ORacross conditions
The detection engine evaluates rules against fields populated by SysmonEventProcessor (e.g. process_name, command_line, network_connection for destination port).
Testing rules
Use the repository script Invoke-EdrDetectionPenTest.ps1 to trigger benign activity that exercises many rules (run as Administrator with Sysmon enabled).