Quick Links

Requesting custom detection rules for your organization

Overview

If Blumira does not currently detect specific activity that your organization needs to be able to respond to, you can submit a request for a custom detection, and our Incident Detection Engineers will determine if it can be created for your organization. In some cases, creating a Scheduled Report is a preferred solution when you only need to monitor activity via the logs without responding to findings.

Note: After submitting a request, a Security Analyst will work with you to give an estimate of the feasibility and timing of your custom detection.

Requesting modifications to existing detection rules

Some of the existing rules may not meet the specific needs of your organization, although most of the logic is already in place. If you identify a specific event that your organization requires a detection for that is based on one of the existing rules, you can submit a request to Support and include these details:

  • Existing detection rule name
  • The values and/or conditions that you want added or changed
Note: Customization of priority and cooldown are options that users can configure directly in the app. See Setting priority and cooldown overrides for detection rules.

Requesting new rules

Creating a report

Before submitting a request for a new rule, determine which data and conditions should trigger the detection and appear in the finding. The best way to share those details is by creating and saving a report in Report Builder, then including the report name in your request.

To create the report, do the following:

  1. Navigate to Reporting > Report Builder.
  2. From the Data Sources list, select the source(s) of the logs that you want Blumira to detect on.
  3. Click Edit Report.
  4. Click Add Filter and enter the fields and values needed to drill down into the information for specific conditions.
  5. Click Submit to run the query.
  6. Save the new query to your Saved Reports list:
    1. Click Screenshot_2023-01-31_at_5.55.13_PM.png, then click Save & Schedule Report.
    2. In the Name of Query box, type a report name that is not already being used by another report.
    3. Click Save.
  7. (Optional) Run a test to verify your report is displaying the results you would like to trigger a finding in the app.

Submitting your request

Using the Support button at the bottom of this window, you can send a request for your custom detection and include the following information in the request:

  • The name of the report that you created
  • The priority and category you want your new detection rule to have (e.g., P2 Suspect).
    Note: All Risk detections must be P3, as described in About Blumira findings.

Additional information for MSPs

If you are an MSP that partners with Blumira, you can manage which sub-accounts will have a custom rule deployed to them, just like with global detection rules. See more details in Managing detection rules in bulk.