To create a D&R rule based on artifacts, you will need to specify target: artifact. An example of the detection & response rule that checks artifacts is below. With this rule, you are able to look for references to private URLs in proxy logs; if the reference is found, a detection is generated.


target: artifact
op: contains
path: /text
value: /corp/private/info


- action: report
name: web-proxy-private-url

The list of operators and actions that can be used for D&R rules written for target: artifact are specified here.

Did this answer your question?