Modify UBA Detection Rules

Customize UBA detection rules to meet the needs of your team and your environment. Navigate to the User Behavior Analytics tab on the Detection Rules page to change the rule action and modify the rule priority.

Modifying UBA Detection Rules as an MDR customer

If you are a Managed Detection and Response (MDR) customer, you are able to change the Rule Action of UBA detection rules. To customize the Rule Priority, reach out to your Customer Advisor.

Change Rule Action

You can configure the Rule Action of UBA detection rules to change how InsightIDR reacts when certain user behaviors occur.

UBA rules appear in alphabetical order and are automatically configured with one of three Rule Actions:

  • Creates Investigations will automatically create an Investigation in InsightIDR when a detection occurs. You can configure your Profile Settings to send email alerts when Investigations are created. Use this option when you would like to be notified of events when they happen.
  • Tracks notable events will automatically add a notable event to related Investigations when a detection occurs. Use this option for events that you would like to be aware of when reviewing activity but do not wish to be notified of.
  • Off means rules are not tracked or used in InsightIDR. Use this option for events you do not wish to track.

To change the Rule Action:

Toggle the Rule Action dropdown to either Create Investigations, Tracks Notable Events, or be switched Off.

Change Rule Priority

Rule Priority is applied to investigations created by the detection rule. You can configure the Rule Priority to sort and filter your investigations by those most important to your organization.

To change the Rule Priority:

Toggle the Rule Priority dropdown to select one of these options: Critical, High, Medium, Low or Unspecified. Click Save to confirm your changes.

View Open Investigations

The Open Investigations column indicates the number of investigations of that type that occurred in the last 28 days.