Overview
Blumira’s SIEM platform detects and alerts on malicious behavior in your environment, as well as some non-threat events. All of the alerts rely on detection rules, which are the logic and the response actions behind our findings and their playbooks. When your organization sees findings in the app or as alerts, you can also see the detection rule name in the finding.
Reference: You can learn more about our approach to creating and maintaining detection rules in Blumira’s SIEM Detection Rules Explained.
Blumira automatically deploys new and updated rules to the app on a rolling basis. Almost all detection rules are enabled by default, but a small number of detection rules are deployed in a default-disabled state when Blumira's incident detection team determines that the rules generate noisy findings that are not likely to present threats.
Ensure that your organization is getting the coverage you need by managing the detection rules that are available for your integrated data sources.
Note: If a detection rule does not appear in the app, the data source has not been configured to send logs to Blumira. If you recently configured an integration, it can take 30 minutes for the rules to deploy to your account, so you may need to allow more time for that deployment process to finish.
How to know if you have active detection rules
One of the best ways to know if your detections are working properly is to run a test and receive a test finding. There are many cases where running a test is not possible or easy to do, though.
The Summary dashboard, which is visible to Administrators and Managers, includes a card that displays a total count of your active detection rules. The card shows “0” if you do not have any log sources configured.
If your organization has configured one or more data sources and Blumira is collecting logs, the number of active detection rules appears in the Summary dashboard, and you can click the card to view and search the list of enabled rules.
Why do default-disabled rules exist?
New detections are released as default-disabled when they generate noisy findings that are not likely to present threats. Every organization operates differently and what is unusual in one may be a standard operating procedure for another.
Example: The default-disabled detection rule called “Enabling or Unlocking of a User Account” detects when a Windows Active Directory account is enabled or unlocked. Some organizations may rarely enable or unlock accounts and would want to investigate this event if they receive an alert for it. Other organizations commonly enable or unlock numerous accounts on a daily basis. This event would not be uncommon or noteworthy to them and would likely not be worth an investigation. Using that same example, it is extremely unlikely in both cases that an investigation of this finding would result in the identification of an active threat.
Which rules are default-disabled?
Most integrations include detection rules that are only default-enabled, but there are several integrations for which one or more rules are disabled by default. You can review your currently disabled rules by using the search preset at the top of the Detection Rules page.
You can also click a specific rule and then click View details to see its current state and its default state.
Who can view the detection rules in your organization?
Blumira app Administrators, Managers, and Responders can view the Detections Rule page (Settings > Detection Rules) and each rule’s details. This means that anyone in your organization can review the settings. However, you must be an app Administrator or Manager to enable or disable rules in Blumira.
Finding and enabling a disabled detection rule
Note: Windowed detections are currently available in paid editions only.
To view the detection rules that are currently disabled:
- In Blumira, navigate to Settings > Detection Rules.
-
In the Search preset box, click Disabled.
- Search, sort, filter, or click through the pages of results to find a specific rule.
-
(Optional) Click a rule, then click View details to see a full summary including the default state of the rule.
-
In the Detection Rules table, click the switch at the front of a rule’s row to enable it.
Note: The rule will be actively enabled within 10 minutes of changing the setting.