Modify Detection Rules

You can modify detection rules to better suit the needs of your team and your environment. In the Detection Rule Library tab of the Detection Rules page, click into a detection rule to open the rule details peek panel. Here, you can customize the rule by:

• Changing the Rule Action
• Modifying the Rule Priority
• Adding exceptions to the rule

You can also refer to the Relative Activity score to help you determine which detection rules may benefit from customization.

Change Rule Action

You can configure the Rule Action to change how InsightIDR reacts when a detection occurs.

Available Rule Actions include:

• Creates Investigations automatically creates an investigation in InsightIDR when a detection occurs. Use this option when you want to open an investigation if a certain event happens. You can also configure email notifications when investigations are created.
• Creates Alert automatically creates an alert in InsightIDR when a detection occurs. Use this option when you want to be notified about potentially suspicious behavior, which might need further investigation.
  • This option is currently available to Managed Detection and Response (MDR) customers only. As an MDR customer, you can set the Creates Alert Rule Action for custom and contextual detection rules. You can work with the Rapid7 SOC to set the Rule Action for managed detection rules.
• Tracks Notable Events automatically adds a notable event to related investigations when a detection occurs. Use this option for events that might provide additional context to help you understand the activity that has occurred.
• Assess Activity tracks the number of detections that occur and generates a relative activity score over the next 7 days. After 7 days, an Assessment Report is created and the Rule Action is automatically switched off, unless you manually change it. The detection data is not used in investigations. Use this option for events where you would like to track detection activity, but do not want to be notified.
• Off means rules are not tracked or used in InsightIDR. Use this option for events you do not want to track.

To change the Rule Action:

1. Select a detection rule to open the rule details panel.
2. In the dropdown, select the Rule Action to apply.

To change the Rule Action in bulk:

1. Select the checkboxes in the Detection Rule Library table for the detection rules you’d like to make changes to. At this time, you can only select detection rules visible on your current page. Navigating to another page or applying filters will clear your current selections.
2. Bulk action options will appear. Choose the Rule Action you’d like to apply across your selected detection rules.
3. A confirmation message will appear, indicating your changes were made successfully.

Change Rule Priority

Rule Priority is applied to investigations created by the detection rule. You can configure the Rule Priority to sort and filter your investigations by those most important to your organization.

To change the Rule Priority:

1. Open the rule details peek panel by clicking on a detection rule.
2. In the Rule Priority dropdown, select from one of these options: Critical, High, Medium, Low or Unspecified.

To change the Rule Priority in bulk:

1. Select the checkboxes in the Detection Rule Library table for the detection rules you’d like to make changes to. At this time, you can only select detection rules visible on your current page. Navigating to another page or applying filters will clear your current selections.
2. Bulk action options will appear. In the Rule Action dropdown, you must select Creates Investigations to be able to apply a priority.
3. Select the priority you’d like to apply from the Rule Priority dropdown.
4. A confirmation message will appear, indicating your changes were made successfully.

Explore and manage exceptions

Exceptions associated with a given detection rule can be added and managed from the rule details panel. Existing exceptions can be managed individually or on the Exceptions page. Visit Detection Rule Exceptions for details.

Add exceptions

You can add exceptions to modify the rule action and priority of investigations created by the rule for specific users, assets, IP addresses, etc.

Step 1: Open the rule details panel

1. From the Detection Rule Library, find and select the detection rule you want to add an exception for. The rule details panel opens.
2. Click the Exceptions tab.
3. Click Create New Exception.

Step 2: Review content in your environment that matched this Detection Rule

If the logic of this rule has matched content in your environment, you can review data from recent alerts and notable events caused by the detection(s). This matched data can help you determine which key value pairs you’d like to add an exception for.

After expanding an alert or event payload, you can click Add key-value pair to exception to automatically add them to your exception. If you would like to edit these key-value pairs or add new ones, you can do so in Step 4.

Step 3: Select an exception-level Rule Action and Priority

Select an exception-level Rule Action from the dropdown menu to determine how InsightIDR should react when your exception conditions are met. This setting overrides the rule-level action of the Detection Rule.

If you select Creates Investigations as the exception-level rule action, you can optionally select an exception-level priority for investigations created from the key-value pair(s) you define. If you choose not to select an exception-level priority, your exception will inherit the rule priority.

Step 4: Define exception logic

You can define the logic of your exception with key-value pairs or a Log Entry Query Language (LEQL) query.

Define exception logic with key-value pairs

Enter the details for one or more key-value pairs that you would like to add an exception for. A key-value pair consists of two elements: a key that defines the data set and a value that belongs to the set.

Use these best practices when specifying key-value pairs:

• Use exception operators to define the relationship between the key and the value. You can also add multiple pairs using the AND operator by clicking Add key-value pair.
• When entering your key-value pair, you do not need to include quotes or escape special characters by using backslashes. For example, if your value is written in a JSON file as "C:\\windows\\command.exe", you should enter C:\windows\command.exe into the value field. If you do escape special characters when entering your value, a message will pop up giving you the option to remove them.

json
1
"process": {
2
    "start_time": "2021-10-08T19:07:21.075Z",
3
    "name": "ADLWRCT.exe",
4
    "pid": 13800,
5
    "session": 64,
6
    "exe_file": {
7
      "owner": "NT AUTHORITY\\SYSTEM",
8
      "description": "Adware products",
9
      "author": "LunarWinds"
10
    }
11
} 

Define exception logic using a LEQL query

Click the Convert to LEQL button to write your exception logic using a LEQL query. Any key-value pairs that you have entered for this exception are added to your new query.

Preview your exception

Click Preview to see how your exception would have affected past payloads generated by this Detection Rule.

The Exception Preview modal opens and populates with the 20 most recent payloads from the last 30 days containing the key-value pair(s) you entered. This payload data was generated by alerts and notable events when the rule logic for this Detection Rule matched data in your environment.

Payloads are labeled Affected and Unaffected to indicate whether your exception would have caused a different Rule Action or Rule Priority to apply had the exception been in effect. For example, if your exception sets the Rule Action to Suppress Activity, the alerts corresponding to affected payloads would have been suppressed.

You can also modify the view to better find what you are looking for:

• Use the Show dropdown to see either Affected or Unaffected payloads or both.
• Click Select keys to show to display only specified keys within the payload.
• Click Collapse all dates or use the caret buttons for each individual payload to hide the payload data and only display an overview.

Step 5: Add a name and a note

Enter an Exception Name, and optionally add a note to provide additional context about your exception.

Click Create Exception to save.

Edit exceptions

You can edit an exception after it has been created.

To edit an exception:

1. Navigate to Detection Rules > Detection Rule Library.
2. Open the rule details panel by clicking a detection rule.
3. Navigate to the Exceptions tab.
4. Click Edit (pencil icon) for the exception you want to edit.
5. Make modifications as necessary.
6. Optionally, provide a note describing the change.
7. Click Save changes.

Delete exceptions

Deleting exceptions is permanent and cannot be undone.

To delete an exception:

1. Navigate to Detection Rules > Detection Rule Library.
2. Open the rule details panel by clicking a detection rule.
3. Navigate to the Exceptions tab.
4. Click Delete (trashcan icon) for the exception you want to delete.
5. Optionally, provide a note describing the change.
6. Click Delete.

View exception matches

When data in your environment matches the key-value pairs defined by your exception, an Exception Match is recorded. This value indicates how many times an exception has occurred, overriding the rule-level Action and Priority selections.

To view total exception matches for a Detection Rule:

1. Navigate to Detection Rules > Detection Rule Library.
2. Search or filter for a particular exception.

The number of exception matches is displayed in the main table.

To view exception matches for a given exception:

View assessment reports

Assessment reports are generated for exceptions after the 7-day Assess Activity period is complete. To configure Assess Activity, you can change the Rule Action for Detection Rules and exceptions. Assess Activity allows you to:

• Evaluate the activity that a Detection Rule generates to ensure the rule is not creating unnecessary noise. After the 7-day Assess Activity period, the rule is automatically switched off, unless you manually change the Rule Action.
• Evaluate how an exception would affect the number of detections generated to ensure the exception is performing as expected. After the 7-day Assess Activity period, the exception is automatically deactivated, unless you manually change the Rule Action.

To view assessment reports:

Understand Relative Activity

Relative Activity is a score of 1-1000 given to each detection rule that is calculated based on these parameters:

• How often the Rule Logic matches data in your environment per asset.
• How often the Rule Logic matches data in your environment per minute.
• How often the Rule Logic matches data in your environment relative to other detection rules.
• How often a detection rule is throttled relative to other rules.

The score is calculated over a rolling 24-hour period, and takes into account any exceptions that switch off the rule and any threshold conditions that have been set.

You can use the Relative Activity score to:

• Identify detection rules that are set to Assess Activity that might cause frequent investigations or notable events if the Rule Action is changed.
• Determine which detection rules may benefit from additional tuning by adding exceptions or configuring the Rule Action.