Quick Links

Understanding and managing detection rules

Overview

Blumira Incident Detection Engineers continuously create and manage detection rules that monitor your log data for threats, suspects, risks, and other operational activity in your environment. When those detections lead to a finding, we immediately send notifications to your team and provide detailed analysis with evidence to help you act on those findings.

Reference: See About Blumira findings for more information about what is included in a finding and how to respond to them. Also see Using Detection Filters to customize detections to learn how to allow safe activity to occur without triggering findings.

We automatically enable detection rules on your account based on the log types we receive from your organization and the latest cybersecurity research. Within 15 minutes of adding a new log source, you will see related detection rules appear in your account.

Note: There might be a detection delay between the time you begin shipping logs and the time a detection rule becomes active, with a 15-minute delay for default-enabled rules. Rules that are default-disabled require an administrator to activate them before detection is possible.

If you stop sending specific log data, after six months of not receiving that type, we remove the correlated detection rules from the account. If you begin to send that data later on, our system will re-deploy the detection rules to the account.

Windowed vs. real-time detections

Windowed detection rules are available in accounts with active subscriptions, and real-time detections are available to all accounts, including trials. This means that any rule with "Windowed" as the detection type in the rules table will be automatically disabled in trial accounts.

Screenshot 2024-03-14 at 4.02.19 PM.png

Detection rules that rely on “indicators” use a single event or piece of evidence to trigger a detection in real-time, while “windowed” rules require multiple pieces of evidence gathered within a set period of time. An example of an indicator is a connection from a public IP to a protocol like SSH. As soon as there is a connection from a public IP address to the port, which is port 22 in the SSH example, a detection will be triggered and finding is produced within seconds. This is a singular event in one log, unlike multiple logins across varying locations, for which detection would need to correlate multiple logs from a distinct timeframe.

Different attacks and vulnerabilities require windows of monitoring time that are most suitable for detecting the activity. Windowed detection rules can have windows that range from minutes to hours, based on the activity being detected. You can see the window information in the Rule Details for each rule.

Viewing and using detection rules

The Detection Rules page (Settings > Detection Rules) displays a list of all available detection rules for your organization. Rules are available only when your account logs the data types that are used by the rules. This means that Blumira hides rules for integrations that you do not use.

From Detection Rules, you can do the following:

  • See which detection rules are available on your account.
  • View details about each detection rule.
  • Enable and disable detection rules for your organization.
  • View and delete detection filters.

The Detection Rules table includes the following information:

Column Description
Enable/disable switch The indicator and control switch that you can use to turn a rule on or off.
Rule name The name of the detection rule.
Category The type of finding detected when the evidence is matched against conditions of the rule.
Priority The severity rating corresponding to the level of response needed.
Data type

The originating source of data used by the detection rule as determined by the integrations configured for your account.

Note: Blank entries in the data type denote multiple data sources, such as SonicWall traffic, Palo Alto traffic, and ASA traffic.

Analysis summary The description of the rule, including the conditions used to analyze the activity in event logs.
Filters

The count of active detection filters configured to allow specific values to be undetected, or allowlisted, by the rule.


Viewing details of a specific detection rule

You can view the full details about each detection rule to understand its purpose and default behavior, as well as see any active filters related to your findings.

To view a detection rule's details:

  1. Navigate to Settings > Detection Rules.
  2. Click the row of a rule in the list.
  3. In the action menu, click View details.
  4. In the Detection Rule window, see information in the Details tab or click Filters to view information about the detection rule’s filters.

The Detection Rule window displays the following information:

  • A Details tab:
    Detail Description
    Data source The name of the data source that the detection rule checks.
    Indicator name The long name of the detection rule.
    Analysis summary A detailed description of the detection rule and the underlying event IDs or corresponding conditions that trigger a finding.
    Initial workflow step The initial question we ask to support you with remediation steps.

    Current state

    Indicates whether the rule is currently enabled or disabled.

    Default state

    Indicates whether the rule is enabled or disabled by default, with an explanation of why the default was chosen by Blumira.

  • A Filters tab with all of the active detection filters that are allowing the listed users and/or IPs to go undetected by the rule. Includes the ability to delete filters.
    Reference: To learn how to add or edit detection filters, follow the steps in Using detection filters.

Searching detection rules

To find specific detection rules, you can search in the following ways:

  • From the Search preset list, select to filter down to Enabled or Disabled rules, or select All detection rules.
  • In the Search box, type keywords associated with a detection rule's name or description (as described in the Analysis summary column).
    Screen_Shot_2022-04-07_at_11.28.42_AM.png

Enabling and disabling detection rules

Required: You must have the administrator role to change detection rules' settings. 

After verifying the current state of your detection rules, you can change a rule's state to enabled or disabled using the toggle switch next to the rule name. 

Note: An enabled rule appears with a blue switch that is positioned to the right. A disabled rule appears with a gray switch positioned to the left.

To change a detection rule's current state:

  1. In the Detection Rules table, locate the rule you want to update.
  2. Click the switch next to the rule's name.
  3. In the confirmation window, click Yes.