Rules

Rules in Astral define the correlation logic used to detect security-relevant activity across ingested data. They are responsible for evaluating events from multiple sources, identifying patterns, and determining when a set of conditions represents a potential security incident. Rules are a core component of Astral’s detection engine, enabling the transformation of raw telemetry into actionable security signals.

Astral uses YARA as its rule language, allowing precise and expressive definition of detection logic. By leveraging YARA, rules can evaluate structured and normalized event data, apply logical conditions, and match complex behavioral patterns across logs, network activity, and other telemetry sources. This approach provides flexibility while maintaining consistency and transparency in detection logic.

Correlation rules in Astral are not limited to single events. They can link multiple events over time, across different data sources, and from distinct parts of the environment. This enables detection of advanced threats that unfold in stages, such as reconnaissance followed by lateral movement or privilege escalation. By correlating related signals, Astral increases detection accuracy and reduces reliance on isolated alerts.

When a rule is triggered, Astral generates a structured detection that can be enriched, prioritized, and forwarded to Inopli’s Response and RPA capabilities. This ensures that rule-based detections are immediately operationalized, supporting identification, investigation, and automated response. Through YARA-based rules, Astral provides a powerful and adaptable framework for continuous threat detection within the Inopli ecosystem.

Below is a consolidated and market-aligned list of security monitoring categories, derived from widely used models and common SOC/SIEM practices. The categories are normalized to be vendor-neutral and suitable for use in Astral documentation and rule taxonomy.

Security Monitoring Categories

Abusive Content Monitoring of activities related to the distribution or use of abusive, illegal, or policy-violating content, including spam campaigns, phishing messages, and other forms of content abuse that may impact users or the organization’s reputation.

Malicious Code Detection of malware-related activity, including viruses, trojans, ransomware, spyware, worms, and other malicious software. This category covers execution, propagation, command-and-control communication, and indicators of compromise associated with malicious code.

Information Gathering Identification of reconnaissance and intelligence-gathering activities aimed at collecting information about systems, networks, users, or services. This includes scanning, enumeration, fingerprinting, and discovery techniques that often precede an attack.

Intrusion Attempts Monitoring of failed or blocked attempts to compromise systems or services. This category includes brute-force attempts, exploitation attempts, authentication failures, and other actions that indicate an effort to gain unauthorized access without confirmed success.

Intrusions Detection of confirmed or highly probable unauthorized access to systems, applications, or data. This includes successful exploitation, privilege escalation, lateral movement, and persistence mechanisms indicating that an attacker has breached the environment.

Availability Issues Identification of events that impact or threaten service availability. This includes denial-of-service conditions, resource exhaustion, service crashes, and other incidents that degrade or interrupt normal operations.

Security Control Failures Monitoring of failures, misconfigurations, or bypasses of security mechanisms. This category includes disabled controls, failed updates, policy violations, logging failures, and weaknesses in authentication, authorization, or monitoring systems.

Fraud Detection of fraudulent activity involving misuse of systems, identities, or resources for financial or operational gain. This includes account takeover, payment fraud, abuse of legitimate services, and other actions intended to deceive or cause loss.

Account and Identity Misuse Monitoring of abnormal or suspicious use of user or service accounts, including credential abuse, privilege misuse, anomalous login behavior, and violations of identity and access policies.

Data Exposure and Leakage Identification of unauthorized access, transfer, or exposure of sensitive data. This includes data exfiltration attempts, accidental exposure, misconfigured storage, and leakage through external channels.

Policy and Compliance Violations Detection of activities that violate organizational policies, regulatory requirements, or acceptable use standards. This category focuses on governance-related risks rather than direct exploitation.

Third-Party and Supply Chain Risk Monitoring of security-relevant events originating from or affecting third parties, partners, or external services. This includes compromised integrations, exposed dependencies, and externally driven risk signals.

This categorization provides a structured and standards-aligned framework for organizing Astral detection rules, alerts, dashboards, and incident reporting, while remaining flexible enough to adapt to different regulatory, operational, and threat-model requirements.