Custom Rules
5 min read
Custom rules let you write detection logic specific to your tenant — patterns Burrow's built-in rule catalog does not cover. Each custom rule is a small expression evaluated against per-user counters on every detection pass, just like the built-in rules. When the expression is true, an alert fires.
This article walks the structure of a custom rule, the counters available, and a few example rules to copy.
When you need a custom rule
The built-in rules cover the common adversary techniques mapped to MITRE ATT&CK. Reach for a custom rule when:
- You have a tenant-specific risk — e.g. "any access from a known competitor's external domain" or "downloads from the M&A site by anyone outside the deal team."
- You want to combine signals the built-in rules do not combine — e.g. "at least 10 share operations AND at least 3 distinct external domains in the same window."
- You are piloting a detection idea before requesting it as a built-in.
For a one-user noise problem, use an entity exception, not a custom rule. For a built-in rule with the wrong threshold, use a per-rule override.
Where to add a custom rule
- Open the Burrow dashboard → Rules in the left navigation.
- Scroll to the Custom rules section.
- Click Add custom rule.
- Fill in the fields described below.
- Save. The rule evaluates from the next detection pass onward.
Custom rule fields
- Category name — short snake_case identifier that appears as the alert's
categoryfield. Pick something descriptive and tenant-specific so it does not collide with built-in names. Example:bulk_download_anon_share_chain,mna_site_external_access. - Severity — Critical / High / Medium / Low / Info. Pick based on operator response you want; see Alert severity meanings.
- MITRE technique — the MITRE ATT&CK ID this rule represents. Example:
T1567.002for cloud exfiltration,T1083for discovery / recon. See MITRE ATT&CK technique reference. - Condition expression — the boolean expression that fires the alert. See counters below.
- Reason text — operator-facing note explaining the intent of the rule. Required.
Counters available in the expression
Each counter is the value for one user over the current detection window (around 10 minutes by default). Use them in boolean expressions like bytes_downloaded > 1073741824 AND anon_links >= 1.
| Counter | What it counts |
|---|---|
events | Total audit events for the user. |
modified | File modifications. |
downloaded_manual | Manually-initiated file downloads (excludes OneDrive sync). |
downloaded_sync | OneDrive sync downloads. |
bytes_downloaded | Total bytes downloaded (any download type). |
uploaded | File uploads. |
deleted | File deletions. |
distinct_files | Unique files touched. |
distinct_sites | Unique SharePoint sites touched. |
labeled_files | Files with Microsoft Information Protection labels. |
label_changes | Sensitivity-label modifications. |
sharing_ops | Total sharing operations. |
anon_links | Anonymous share links created. |
external_shares | Shares to non-internal domains. |
external_domains | Distinct external domains shared with. |
org_links | Organisation-wide share links. |
perm_ops | Permission modifications. |
n_user_ips | Distinct source IPs. |
n_geos | Distinct source geographies. |
apps | List of client applications used (use with contains). |
unmanaged_events | Events from non-compliant devices. |
tor_events | Events from Tor exit-node IPs. |
threat_intel_events | Events from threat-intelligence-listed IPs. |
sensitive_events | Events on sensitive sites. |
Operators: <, <=, >, >=, =, !=, AND, OR, NOT, contains.
Example custom rules
Bulk download with external sharing in same window
Detects an account that pulls down a meaningful volume of files AND creates external share links in the same window — classic data-staging-before-exfil pattern.
- Category:
bulk_download_with_external_share - Severity: High
- MITRE: T1567.002
- Expression:
bytes_downloaded > 524288000 AND external_shares >= 1 - Reason: "Tenant-specific detection: at least 500 MB downloaded plus at least one external share in the same window."
High geographies + new site access combo
A signal that combines lateral-movement and impossible-travel hints.
- Category:
cross_geo_new_site - Severity: High
- MITRE: T1078.004
- Expression:
n_geos >= 3 AND new_site_count >= 5 - Reason: "User accessing new sites from multiple geographies in the same window."
Tor or threat-intel IP with any modification activity
- Category:
bad_ip_modification - Severity: Critical
- MITRE: T1071
- Expression:
(tor_events >= 1 OR threat_intel_events >= 1) AND (modified >= 1 OR deleted >= 1) - Reason: "Critical: write activity from a Tor or threat-intel-listed IP."
After saving — what to watch
- The first detection pass after saving evaluates your rule. If it fires, alerts appear on the Alerts page with your category name.
- Watch for false-positive volume in the first few days. Tune by raising thresholds, narrowing the condition, or adding entity exceptions for known-noisy users.
- If you want to see what the rule WOULD have caught over the last week before going live, use Rule replay to evaluate it against historical data.
Editing and deleting
The Custom rules section lists every saved rule. Each row has Edit and Delete buttons. Edits take effect on the next detection pass; deletes stop the rule from evaluating going forward. Both actions are logged on the History page.
See also
- Tuning a noisy rule — including custom-rule tuning.
- Rule replay — preview a custom rule against historical data.
- Rule catalog — see what is already covered before writing a custom rule.
Need help? support@smikar.com.