Skip Navigation

Paths

Paths define how the CAE interprets the flow of multiple state objects within a rule. You use paths when a rule consists of multiple state objects (also known as a multistate rule). States define the flow of a CAE rule and allow
CylanceOPTICS
to statefully observe a series of events that occur on a device. These represent a "1, then 2, then 3" scenario that might occur.
If a rule has one state object only, you don't need to use a paths object. Rules consist of a single state object and do not explicitly require the use of the paths object. Rules that do utilize the paths object do so for explicit definition only (not for rule functionality).
In the following examples, two state objects are used, NewSuspiciousFile and CertUtilDecode. Each state has its own set of logic.
Example 1
: In the following configuration, the CAE will look for an event that satisfies the NewSuspiciousFile state. When that state is satisfied, the CAE will look for an event that satisfies the CertUtilDecode state.
"Paths": [ { "StateNames": [ "NewSuspiciousFile", "CertUtilDecode" ] } ],
Example 2
: In the following configuration, the CAE will look for an event that satisfies the CertUtilDecode state, then the NewSuspiciousFile state.
"Paths": [ { "StateNames": [ "CertUtilDecode", "NewSuspiciousFile" ] } ],
Example 3
: In the following configuration, the CAE will look for an event that satisfies the NewSuspiciousFile state or the CertUtilDecode state. This is helpful when states have different filter object sets. In this example, NewSuspiciousFile uses a File Write filter and CertUtilDecode uses a process Start filter.
"Paths": [ { "StateNames": [ "CertUtilDecode" ] }, { "StateNames": [ "NewSuspiciousFile" ] } ],