Overview
If Blumira does not currently detect specific activity that your organization needs to be able to respond to, you can submit a request for a custom detection, and our Incident Detection Engineers will determine if it can be created for your organization. In some cases, creating a Scheduled Report is a preferred solution when you only need to monitor activity via the logs without responding to findings.
Requesting modifications to existing detection rules
Some of the existing rules may not meet the specific needs of your organization, although most of the logic is already in place. If you identify a specific event that your organization requires a detection for that is based on one of the existing rules, you can submit a request to Support and include these details:
- Existing detection rule name
- The values and/or conditions that you want added or changed
Requesting new rules
Creating a report
Before submitting a request for a new rule, determine which data and conditions should trigger the detection and appear in the finding. The best way to share those details is by creating and saving a report in Report Builder, then including the report name in your request.
To create the report, do the following:
- Navigate to Reporting > Report Builder.
- From the Data Sources list, select the source(s) of the logs that you want Blumira to detect on.
- Click Edit Report.
- Click Add Filter and enter the fields and values needed to drill down into the information for specific conditions.
- Click Submit to run the query.
- Save the new query to your Saved Reports list:
- Click
, then click Save & Schedule Report.
- In the Name of Query box, type a report name that is not already being used by another report.
- Click Save.
- Click
- (Optional) Run a test to verify your report is displaying the results you would like to trigger a finding in the app.
Submitting your request
Using the Support button at the bottom of this window, you can send a request for your custom detection and include the following information in the request:
- The name of the report that you created
- The priority and category you want your new detection rule to have (e.g., P2 Suspect).
Note: All Risk detections must be P3, as described in About Blumira findings.
Additional information for MSPs
If you are an MSP that partners with Blumira, you can manage which sub-accounts will have a custom rule deployed to them, just like with global detection rules. See more details in Managing detection rules in bulk.