Help configuring the Corporate EDR Version - Printable Version +- GETOVERX FORUM Community Support (https://forum.getoverx.com) +-- Forum: getoverx Shield (https://forum.getoverx.com/forumdisplay.php?fid=1) +--- Forum: EDR (https://forum.getoverx.com/forumdisplay.php?fid=6) +--- Thread: Help configuring the Corporate EDR Version (/showthread.php?tid=140)

Help configuring the Corporate EDR Version - thomasb4083 - 02-18-2026 Hello community, I’m configuring the EDR module and I see it supports rule lists (import/export). I’d like to expand the baseline rules safely without causing false positives or system instability. Where do you recommend sourcing reliable rule ideas or detection guidance? For example: CISA advisories, NIST recommendations, MITRE ATT&CK mappings, or other reputable public resources that can be translated into EDR rules. Any suggestions or rule pack structures you’ve tested in real endpoints would be appreciated. Thanks! RE: Help configuring the Corporate EDR Version - mrwebfeeder - 02-18-2026 GetOverX Shield implements detection logic informed by publicly available security guidance and frameworks such as CISA advisories, NIST recommendations, and MITRE ATT&CK technique mapping. Rules are validated for stability and are intended to support a defense-in-depth posture. Where applicable, GetOverX Shield aligns its default policies and recommended rule sets with widely adopted defensive measures promoted for private-sector and home environments in public guidance from these organizations (e.g., hardening practices, suspicious execution patterns, and monitored behaviors). These references are used as guidance sources, and any publicly available guidance from U.S. agencies can be used to build rules. Just keep in mind that overly restrictive rules may increase false positives, so we recommend starting in “log-only” mode and tightening gradually. Examples: {   "id": "P-LOG-USERZONES",   "enabled": true,   "name": "Log suspicious execution from user writable zones",   "match": { "pathInSuspiciousZones": true },   "action": "logOnly",   "notifyUser": true } {   "id": "P-ALLOW-SIGNED",   "enabled": true,   "name": "Allow signed baseline apps",   "match": {     "processNameIn": ["chrome.exe", "msedge.exe", "onedrive.exe"],     "requireSignature": true   },   "action": "allow" } {   "id": "P-KILL-CONFIRMED",   "enabled": true,   "name": "Kill confirmed unwanted tool",   "match": {     "processNameIn": ["psexec.exe"],     "pathInSuspiciousZones": true   },   "action": "kill",   "notifyUser": true } As a corporate user, you can request additional rule sets through a support ticket in your Client Area. Tell us your environment (endpoints, critical apps, and desired enforcement level), and we’ll provide the rules you need in a stable, validated format.