Quick Links

Requesting custom detection rules for your organization

Overview

If Blumira does not currently detect and create findings for a specific activity that your organization needs to be able to respond to, you can submit a request for a new detection, and our Incident Detection Engineers will determine if it can be created for your organization.

Note: Most custom detection requests are completed within 4 to 6 weeks. In some cases, creating a Scheduled Report, which does not create findings in the app, is a preferred solution when there is only a need to monitor activity without having to respond to and resolve finding workflows.

Requesting modifications to existing detection rules

Some of the existing rules may not meet the specific needs of your organization, although most of the logic is already in place. If you identify a specific event that your organization requires a detection for that is based on one of the existing rules, you can submit a request to Support and include these details:

  • Existing detection rule name
  • The values and/or conditions that you want added or changed

Requesting new rules

Before submitting a request for a new rule, determine which data and conditions should trigger the detection and appear in the finding. The best way to share those details is by creating and saving a report in Report Builder, then including the report name in your request.

To create the report:

  1. Navigate to Reporting > Report Builder.
  2. From the Data Sources list, select the source(s) of the logs that you want Blumira to detect on.
  3. Click Show Advanced.
  4. Click Add Filter and enter the fields and values needed to drill down into the information for specific conditions.
  5. Click Submit to run the query.
  6. Save the new query to your Saved Reports list:
    1. Click Screenshot_2023-01-31_at_5.55.13_PM.png, then click Save & Schedule Report.
    2. In the Name of Query box, type a report name that is not already being used by another report.
    3. Click Save.
  7. (Optional) Run a test to verify your report is displaying the results you would like to trigger a finding in the app.

Using the Support button at the bottom of this window, you can send a request for your custom detection and include the following information in the request:

  • the name of the report that you created
  • which priority and category you want the custom detection to have (e.g., P2 Suspect).
    Note: All Risk detections can only be P3, as described in About Blumira findings.