Overview
Blumira assigns every detection rule a default priority based on how urgent a resulting finding is, and a default cooldown, which is how long Blumira waits before creating another finding from the same detection rule. These defaults are tuned by Blumira's security team to fit most environments.
In some cases, you might want a detection to behave differently for your organization. For example, you might want to raise the priority of a detection that's especially important to you, or shorten the cooldown so you are alerted more often. You can tailor either setting on a per-rule basis using priority and cooldown overrides.
This article explains how to set, change, and remove these overrides.
Key terms
| Term | What it means |
|---|---|
| Priority | The urgency of a finding that the detection creates, shown as P1, P2, or P3, paired with a finding type of Threat or Suspect. |
| Cooldown | The time window (in hours) during which Blumira groups repeat activity into the existing finding instead of creating a new one. A cooldown of “0” means every match creates a new finding. |
| Blumira Default | The priority or cooldown that Blumira ships with the detection rule. This is used unless you set an override. |
Before you begin
You must have either the Manager or Administrator user role to manage detection rules.
An override applies to one detection and doesn't change Blumira's defaults. For a single organization it affects only that organization.
Setting a priority override
To override a detection rule’s default priority, do the following:
- In Blumira, navigate to Settings > Detection Rules.
- Find the detection you want to adjust and click the rule's row.
- In the context menu, click View details.
- In the Priority section, select Custom finding priority.
- Choose the finding priority and type you want as your default, such as "P2 Suspect."
- Click Save.
New findings will use your chosen priority and finding type. Findings created before the change are not affected.
Setting a cooldown override
To override a detection rule’s default cooldown, do the following:
- In Blumira, navigate to Settings > Detection Rules.
- Find the detection you want to adjust and click the rule name.
- In the action menu, click View details.
- In the Cooldown section, select Custom cooldown.
-
Type a number of hours (from 0 to 48) that Blumira should wait before creating a new finding.
Tip: A "0" cooldown value (i.e., no cooldown) will create a new finding for every new match. A "1" cooldown will create new findings after one hour passes from the previous finding's creation. - Click Save.
Reverting to Blumira's default setting
To revert to Blumira’s default setting, do the following:
- In Blumira, navigate to Settings > Detection Rules.
- Find the detection you want to adjust and click the rule name.
- In the action menu, click View details.
- In the Priority or Cooldown section, select Use Blumira Default.
- Click Save.
The detection immediately returns to Blumira's default setting.
How overrides behave
When you set an override, you can expect the following:
- Changes take effect within about a minute. After you save, allow up to 60 seconds for the new setting to apply to incoming activity.
- Only new findings are affected. Findings created before you saved keep their original priority and aren't reopened or re-grouped.
- A cooldown of 0 turns off grouping. Each match creates its own finding. Use this only for detections where you want to see every occurrence.
- Priority overrides can turn a monitor-only detection into a finding. Some detections are set to monitor only and don't normally create findings. If you apply a priority override to one, Blumira will begin creating findings for it at the priority you choose. Applying a priority override does not enable any automated blocking on its own.
- Overrides are independent. You can override priority, cooldown, both, or neither, and reverting both back to default removes the override entirely.