Modify Detection Rules

You can modify Detection Rules to better suit the needs of your team and your environment. Follow these steps to modify Attacker Behavior Analytics (ABA) detection rules and User Behavior Analytics (UBA) detection rules.

Modify ABA Detection Rules

On the Attacker Behavior Analytics tab of the Detection Rules page, click into a detection rule to open the Rule Details peek panel. Here, you can view additional context, change the rule action and create exceptions to the rule.

Change Rule Action

You can configure the Rule Action to change how InsightIDR reacts when a detection occurs.

Detection rules are automatically configured with one of three Rule Actions:

  • Creates Investigations will automatically create an Investigation in InsightIDR when a detection occurs. With this action, Log Search will also track a notable event. You can configure your Profile Settings to send email alerts when Investigations are created. Use this option when you would like to be notified of events when they happen.
  • Tracks notable events will log detections in Log Search whenever they occur. No Investigation is created and no email will be sent. Use this option for events that you would like to be aware of when reviewing activity but do not wish to be notified of.
  • Off means rules are not tracked or used in InsightIDR. Use this option for events you do not wish to track.

To change the Rule Action:

  1. Open the Rule Details peek panel by clicking on a detection rule.
  2. In the Rule Action dropdown, choose whether you’d like the detection rule to Create Investigations, Tracks Notable Events, or be switched Off.

Add exceptions

You can add exceptions to switch off detection rules under specified conditions.

  1. Open the Rule Details peek panel by clicking on a detection rule and navigate to the Exceptions tab.
  2. Click the Create New Exception button.
  3. Add key-value pairs that you would like to be excluded from the detection rule action. A key-value pair consists of two elements: a key which defines the data set, and a value that belongs to the set. You can use exception operators to define the relationship between the key and the value in a key-value pair. You can also add multiple pairs using the AND operator by clicking the Add key-value pair button.
  4. Optionally, enter an Exception Name and add a note to provide additional context about your exception.
  5. Click Create Exception.

Exception Operators

Use exception operators to define the relationship between a key and a value in a key-value pair. Select the checkbox to activate or deactivate case-sensitive operators.

Case-sensitive operators

OperatorDescription
ISThe key-value pair will be excluded from the rule action when the value is the specified text.
CONTAINSThe key-value pair will be excluded from the rule action when the value contains the specified text.
STARTS-WITHThe key-value pair will be excluded from the rule action when the value starts with the specified text.

Case-insensitive operators

OperatorDescription
ICONTAINSThe key-value pair will be excluded from the rule action when the value case-insensitively contains the specified text.
ISTARTS-WITHThe key-value pair will be excluded from the rule action when the value case-insensitively starts with the specified text.

Edit exceptions

You can edit an exception after it has been created.

  1. Open the Rule Details peek panel by clicking on a detection rule and navigate to the Exceptions tab.
  2. Click the pencil icon for the exception you would like to edit.
  3. Make your desired modifications and click Save changes.

Delete exceptions

Deleting exceptions is permanent and cannot be undone.

  1. Open the Rule Details peek panel by clicking on a detection rule and navigate to the Exceptions tab.
  2. Click the trash icon for the exception you would like to delete.
  3. In the pop up, confirm you would like to delete the exception.

Modify UBA Detection Rules

Terminology Update

As of August 2021, we updated the terminology related to Rule Actions to be more accessible, clear, and consistent:

  • Rule Action has replaced Type as the column title
  • Creates Investigations has replaced Alert
  • Tracks Notable Events has replaced Notable Behavior
  • Off has replaced Disabled

On the User Behavior Analytics tab of the Detection Rules page, you can configure the Rule Action to change how InsightIDR reacts to certain user behaviors.

UBA rules appear in alphabetical order and are automatically configured with one of three Rule Actions:

  • Creates Investigations will automatically create an Investigation in InsightIDR when a detection occurs. With this action, Log Search will also track a notable event. You can configure your Profile Settings to send email alerts when Investigations are created. Use this option when you would like to be notified of events when they happen.
  • Tracks notable events will log detections in Log Search whenever they occur. No Investigation is created and no email will be sent. Use this option for events that you would like to be made aware of when reviewing activity but do not wish to be notified of.
  • Off means rules are not tracked or used in InsightIDR. Use this option for events you do not wish to track.

To change the Rule Action:

Toggle the Rule Action dropdown to either Create Investigations, Tracks Notable Events, or be switched Off.

Alert Count

When modifying built-in alerts, the "Count" column indicates the number of open investigations of that type that occurred in the last 28 days.