Blumira uses detection rules to monitor for threats, suspects, risks, and other operational issues within your environment and alert you to take action on those findings. Reference: See About Blumira findings for more information. We automatically enable rules on your account based on the log types from your organization and the latest cybersecurity research. As Blumira creates new rules, we also automatically deploy those rules to your account if you send applicable logs to Blumira.
Important: The detection rule deployment process runs every 30 minutes, but it can take up to 2 hours to complete and display newly deployed rules in the app.
Viewing and using detection rules
The Detection Rules page (Settings > Detection Rules) displays a summary of all available detection rules for your organization. Rules are available only when your account logs the data types that are used by the rules. This means that Blumira hides rules for integrations that you do not use.
From Detection Rules, you can do the following:
- See which detection rules are available on your account.
- View details about each detection rule.
- Enable and disable detection rules for your organization.
- View and delete detection filters.
The Detection Rules table includes the following information:
|Enable/disable switch||The indicator and control switch that you can use to turn a rule on or off.|
|Rule name||The name of the detection rule.|
|Category||The type of finding detected when the evidence is matched against conditions of the rule.|
|Priority||The severity rating that corresponds to the level of response needed.|
The originating source of data used by the detection rule, as determined by the integrations configured for your account.
Note: Blank entries in the data type denotes multiple data sources, such as Sonicwall traffic, Palo Alto traffic, and ASA traffic.
|Analysis summary||The description of the rule, including the conditions used to analyze the activity in event logs.|
The count of active detection filters configured to allow specific values to be undetected by the rule.
Note: This is an Advanced edition feature.
Viewing details of a specific detection rule
You can view the full details about each detection rule to understand its purpose and default behavior, as well as see any active filters related to your findings.
To view a detection rule's details:
- Navigate to Settings > Detection Rules.
- Click the row of a rule in the list.
- In the action menu, click View details.
- In the Detection Rule window, see information in the Details tab or click Filters to view information about the detection rule’s filters.
The Detection Rule window displays the following information:
- A Details tab:
Detail Description Data source The name of the data source that the detection rule checks. Indicator name The long name of the detection rule. Analysis summary A detailed description of the detection rule and the underlying event IDs or corresponding conditions that trigger a finding. Initial workflow step The initial question we ask to support you with remediation steps.
Indicates whether the rule is currently enabled or disabled.
Indicates whether the rule is enabled or disabled by default, with an explanation of why the default was chosen by Blumira.
- A Filters tab with all of the active detection filters that are allowing the listed users and/or IPs to go undetected by the rule. Includes the ability to delete filters.
Reference: To learn how to add or edit detection filters, follow the steps in Using detection filters.
Searching detection rules
To find specific detection rules, you can search in the following ways:
- From the Search preset list, select to filter down to Enabled or Disabled rules, or select All detection rules.
- In the Search box, type keywords associated with a detection rule's name or description (as described in the Analysis summary column).
Enabling and disabling detection rules
Required: You must have the administrator role to change detection rules' settings.
After verifying the current state of your detection rules, you can change a rule's state to enabled or disabled using the toggle switch next to the rule name.
Note: An enabled rule appears with a blue switch that is positioned to the right. A disabled rule appears with a gray switch positioned to the left.
To change a detection rule's current state:
- In the Detection Rules table, locate the rule you want to update.
- Click the switch next to the rule's name.
- In the confirmation window, click Yes.