The Infocyte platform is a cloud-based threat detection and incident response platform for endpoints (workstations and servers) and cloud applications like Microsoft 365. In addition to the analysis performed natively by the Infocyte platform and it's multiple malware scanners, users are able to customize detection criteria to fit their own needs using our dynamic rules engine.
The service performs anaysis on the stream of incoming data as it comes into our cloud platform. Rule processing is in the cloud, so there is no impact to endpoints or individual instances. Atomic rules are applied to individual events that are fed into the engine in the form of json documents while Coorelation Rules (coming soon) are applied to a series of events or alerts. The output of the engine is to produce boolean matching of rules that can fire off an alert or describe a behavior that was observed.
The Infocyte Query Language (IQL) is our custom language to build rules in. This language is powerful yet familiar and quite simple to learn for non-programmers.
This repository contains:
Infocyte Query Language (IQL) is a custom language whose syntax is loosely based on javascript and related programming languages. The goal of the language is to be familiar, easy to learn and obvious. As with any language, there are some things to know right out of the gate:
While the syntax might be familiar, the features of other languages are not present. IQL's express purpose is to provide an extremely fast and efficient way of describing equality statements by non-programmers.
IQL is flexible, and is designed to make interacting with it simple. This means copy and pasting things like Windows paths is ergonomic. There is no escape character to worry about, strings are just strings. If you have to escape something, we recommend using the regex() function.
After logging into your Infocyte instance (with an administrator role) simply navigate to
Admin->Rules.
Here you can create new rules or edit/remove existing ones.
Rules can also be set to active/inactive. Inactive prevents them from running during analysis.
Rules Contain two parts: a conditional statement and an action.
Conditional statements are formed using IQL which very closely resembles something like javascript. They can use boolean (&&, ||) statements, grouping of conditions, exclusions, and include some useful functions to help make them very easy to work with our data types. More information on IQL is found below.
Actions are what happens when a rule matches an item.
- Alert - adds an entry for the matched item to the Alert Inbox within the Infocyte application
- Flag (coming soon) - attaches a specific flag to the item in the Infocyte application
- Respond (coming soon) - initiate a response action on the endpoint using an Infocyte Extension
Rules are processed against the data collected by the endpoint but is flexible enough to work on any
arbitrary json-formatted documents that are fed into it.
All data types contain a type field and any collection involving files that reside on disk will
have properties like path, md5, sha1, sha256, etc.
Simple rules can be written using basic equality/inequality checks:
path == "c:\users\john\malware.exe"Complex combinations can also be used:
path == "c:\users\john\malware.exe" ||
(path == "c:\users\*\ignore-me.exe" && parentPath != "c:\windows\system32\explorer.exe")There are some functions to help manipulate and work with the data at hand more simply:
Transform a string or a field to its lowercase form. Given an input item:
{
"path": "c:\\windows\\system32\\notepad.exe",
"commandLine": "c:\\windows\\system32\\notepad.exe c:\\users\\joe\\Documents\\Passwords.TXT",
}All of these work:
path == lowercase("C:\windows\System32\NotePad.EXE")lowercase(commandLine) == "c:\windows\system32\notepad.exe c:\users\joe\documents\passwords.txt",lowercase("StRIng") == lowercase("stRing")Transform a string or field to its uppercase form, see lowercase.
Provides a PCRE compliant regex matching framework. Given an input item:
{
"path": "c:\\windows\\system32\\notepad.exe",
"commandLine": "c:\\windows\\system32\\notepad.exe c:\\users\\joe\\Documents\\Passwords.TXT",
}This will work:
path == regex(".*notepad\.exe")Convenience wrapper for case insensitive PCRE compliant regex matching framework. Given an input item:
{
"path": "c:\\windows\\system32\\notepad.exe",
"commandLine": "c:\\windows\\system32\\notepad.exe c:\\users\\joe\\Documents\\Passwords.TXT",
}This will work:
commandLine == iregex("\.txt")Which is equivalent to:
commandLine == regex("(?i)\.txt")Provides date parsing and comparison operations. It will parse several formats:
yyyy-mm-ddyyyy-mm-dd HH:MMyyyy-mm-dd HH:MM:SSyyyy-mm-ddTHH:MM:SSZ(ISO format)
date('2020-01-01') < date('2021-01-01')This operation works on fields as well:
date(createdOn) > date('2021-01-01')The current date time stamp for use in date comparisons
date(createdOn) > today()A datetime stamp for a number of days prior to today.
The following matches any created date within the last 30 days:
date(createdOn) > trailingDays(30)Generates a network CIDR for matching IP data:
type == "connection" && remote_addr != cidr("192.168.1.0/24")Compares network IPs against private or loopback ranges:
The following matches on all destIp instances that are not loopback or private:
type == "connection" && remote_addr != privateIp()