Modify ABA Detection Rules

You can modify ABA Detection Rules to better suit the needs of your team and your environment. On the Attacker Behavior Analytics tab of the Detection Rules page, click into a detection rule to open the Rule Details peek panel. Here, you can view additional context, change the rule action, modify the rule priority, and add exceptions to the rule.

Change Rule Action

You can configure the Rule Action to change how InsightIDR reacts when a detection occurs.

Detection rules are automatically configured with one of three Rule Actions:

  • Creates Investigations will automatically create an Investigation in InsightIDR when a detection occurs. You can configure your Profile Settings to send email alerts when Investigations are created. Use this option when you would like to be notified of events when they happen.
  • Tracks notable events will automatically add a notable event to related Investigations when a detection occurs. Use this option for events that you would like to be aware of when reviewing activity but do not wish to be notified of.
  • Off means rules are not tracked or used in InsightIDR. Use this option for events you do not wish to track.

To change the Rule Action:

  1. Open the Rule Details peek panel by clicking on a detection rule.
  2. In the Rule Action dropdown, choose whether you’d like the detection rule to Create Investigations, Tracks Notable Events, or be switched Off.

Change Rule Priority

Rule Priority is applied to investigations created by the detection rule. You can configure the Rule Priority to sort and filter your investigations by those most important to your organization.

We are rolling out Rule Priority starting October 2021

Over the next few weeks, we are releasing Rule Priority within the rule details panel of Detection Rules. This feature will allow you to configure the priority level of your detection rules and investigations. Scroll through this section for a sneak peak of the updates.

To change the Rule Priority:

  1. Open the Rule Details peek panel by clicking on a detection rule.
  2. In the Rule Priority dropdown, select from one of these options: Critical, High, Medium, Low or Unspecified.

Add exceptions

You can add exceptions to detection rules to modify the rule action and the priority of investigations created by the rule for specific users, assets, IP addresses, etc. For example, you may want to add exceptions to:

  • Increase the Rule Action to Creates Investigations and increase the Rule Priority to Critical for events involving C-suite level users. Investigations created from these user events would appear on the Investigations page automatically sorted as Critical Priority.
  • Increase the Rule Action to Creates Investigations and increase the Rule Priority to High if an asset’s geolocation originates from specific countries. Investigations created from these asset’s events would appear on the Investigations page automatically sorted as High Priority.
  • Decrease the Rule Action to Tracks Notable Events or Off for events detected by users authorized to be performing those actions. Priority would not apply as it only affects investigations.

Step 1: Open the rule details panel

  1. From the Detection Rules page, find and select the detection rule for which you want to add an exception. The Rule Details page opens.
  2. Click the Exceptions tab.
  3. Click the Create an Exception button. This is where you'll specify the exception details.

Step 2: Review content in your environment that matched this detection rule

If the logic of this rule has matched content in your environment, you can review data from recent alerts and notable events caused by the detection(s). This match data can help you determine which key value pairs you’d like to add an exception for.

You can hover over desired key value pairs and click the Add key-value pair to exception button to automatically add them to your exception. If you would like to edit these key-value pairs, or add new ones, you can do so in Step 4: Add key-value pairs.

Step 3: Select an exception-level Rule Action and Priority

We are rolling out exception-level Rule Action and Priority starting October 2021

Over the next few weeks, we are releasing additional functionality for creating exceptions. You will soon be able to create exceptions to modify the Rule Action and Rule Priority for the key-value pairs you specify. Scroll through this section for a sneak peak of the updates.

Select an exception-level rule action from the dropdown options to determine how InsightIDR should react when your exception conditions are met. You can choose to create an investigation, track a notable event, or switch off the rule for the key-value pair(s) you specify. This setting will override the rule-level action of the detection rule.

If you select “Creates Investigations” as the exception-level rule action, you can optionally select an exception-level priority for investigations created from the key-value pair(s) you define. If you choose not to select an exception-level priority, your exception will inherit the rule priority.

Step 4: Add key-value pairs

A key-value pair consists of two elements: a key which defines the data set, and a value that belongs to the set.

To add key-value pairs:

Enter the details for one or more key-value pairs that you would like to add an exception for. Use these best practices when specifying key-value pairs:

  • Review the match content generated by this detection rule to hover over key-value pairs and easily add them to your exception.
  • Use exception operators to define the relationship between the key and the value. You can also add multiple pairs using the AND operator by clicking the Add key-value pair button.
  • When entering your key-value pair, you do not need to include quotes or escape special characters by using backslashes. For example, if your value is written in a JSON file as "C:\\windows\\command.exe", you should enter C:\windows\command.exe into the value field. If you do escape special characters when entering your value, a message will pop up giving you the option to remove them.

To add nested key-value pairs:

If your key-value pair is nested within other keys, use a period to define the path. For example, in the following data set, owner, description, and author are nested under the key exe_file, which is nested under process:

json
1
"process": {
2
"start_time": "2021-10-08T19:07:21.075Z",
3
"name": "ADLWRCT.exe",
4
"pid": 13800,
5
"session": 64,
6
"exe_file": {
7
"owner": "NT AUTHORITY\\SYSTEM",
8
"description": "Adware products",
9
"author": "LunarWinds"
10
}
11
}

If you wanted to add an exception for author, you would enter process.exe_file.author under key and LunarWinds under value.

Step 5: Add a name and a note

Enter an Exception Name, and optionally add a note to provide additional context about your exception.

Click Create Exception to save.

Exception Operators

Use exception operators to define the relationship between a key and a value in a key-value pair. Select the checkbox to activate or deactivate case-sensitive operators.

Case-sensitive operators

OperatorDescription
ISThe key-value pair will be excluded from the rule action when the value is the specified text.
CONTAINSThe key-value pair will be excluded from the rule action when the value contains the specified text.
STARTS-WITHThe key-value pair will be excluded from the rule action when the value starts with the specified text.

Case-insensitive operators

OperatorDescription
ICONTAINSThe key-value pair will be excluded from the rule action when the value case-insensitively contains the specified text.
ISTARTS-WITHThe key-value pair will be excluded from the rule action when the value case-insensitively starts with the specified text.

Edit exceptions

You can edit an exception after it has been created.

  1. Open the Rule Details peek panel by clicking on a detection rule and navigate to the Exceptions tab.
  2. Click the pencil icon for the exception you would like to edit.
  3. Make your desired modifications and click Save changes.

Delete exceptions

Deleting exceptions is permanent and cannot be undone.

  1. Open the Rule Details peek panel by clicking on a detection rule and navigate to the Exceptions tab.
  2. Click the trash icon for the exception you would like to delete.
  3. In the pop up, confirm you would like to delete the exception.