Overview
Blumira uses detection rules to monitor for threats, suspects, risks, and other operational issues within your environment and alert you to take action on those findings.
Reference: See About Blumira findings for more information.
We automatically enable detection rules on your account based on the log types we are receiving from your organization and the latest cybersecurity research. You can expect to see rules in a newly created organization within 15 minutes of adding a new log source. Then, as Blumira creates new detection rules, we automatically deploy those rules to your account if you send applicable logs to Blumira.
If you stop sending specific log data, after six months of not receiving that type, we remove the correlated detection rules from the account. If you do begin to send that data later on, our system will re-deploy the detection rules to the account.
Windowed vs. real-time detections
Windowed detections are currently available only in paid editions, whereas real-time detections are available to all editions. This means that any rule with "Windowed" as the Detection Type in the rules table will be automatically disabled in Free Edition accounts.
Viewing and using detection rules
The Detection Rules page (Settings > Detection Rules) displays a list of all available detection rules for your organization. Rules are available only when your account logs the data types that are used by the rules. This means that Blumira hides rules for integrations that you do not use.
From Detection Rules, you can do the following:
- See which detection rules are available on your account.
- View details about each detection rule.
- Enable and disable detection rules for your organization.
- View and delete detection filters.
The Detection Rules table includes the following information:
Column | Description |
Enable/disable switch | The indicator and control switch that you can use to turn a rule on or off. |
Rule name | The name of the detection rule. |
Category | The type of finding detected when the evidence is matched against conditions of the rule. |
Priority | The severity rating corresponding to the level of response needed. |
Data type |
The originating source of data used by the detection rule as determined by the integrations configured for your account. Note: Blank entries in the data type denote multiple data sources, such as Sonicwall traffic, Palo Alto traffic, and ASA traffic. |
Analysis summary | The description of the rule, including the conditions used to analyze the activity in event logs. |
Filters |
The count of active detection filters configured to allow specific values to be undetected, or allowlisted, by the rule. Note: Detection filters are only available in paid editions. |
Viewing details of a specific detection rule
You can view the full details about each detection rule to understand its purpose and default behavior, as well as see any active filters related to your findings.
To view a detection rule's details:
- Navigate to Settings > Detection Rules.
- Click the row of a rule in the list.
- In the action menu, click View details.
- In the Detection Rule window, see information in the Details tab or click Filters to view information about the detection rule’s filters.
The Detection Rule window displays the following information:
- A Details tab:
Detail Description Data source The name of the data source that the detection rule checks. Indicator name The long name of the detection rule. Analysis summary A detailed description of the detection rule and the underlying event IDs or corresponding conditions that trigger a finding. Initial workflow step The initial question we ask to support you with remediation steps. Current state
Indicates whether the rule is currently enabled or disabled.
Default state
Indicates whether the rule is enabled or disabled by default, with an explanation of why the default was chosen by Blumira.
- A Filters tab with all of the active detection filters that are allowing the listed users and/or IPs to go undetected by the rule. Includes the ability to delete filters.
Reference: To learn how to add or edit detection filters, follow the steps in Using detection filters.
Searching detection rules
To find specific detection rules, you can search in the following ways:
- From the Search preset list, select to filter down to Enabled or Disabled rules, or select All detection rules.
- In the Search box, type keywords associated with a detection rule's name or description (as described in the Analysis summary column).
Enabling and disabling detection rules
Required: You must have the administrator role to change detection rules' settings.
After verifying the current state of your detection rules, you can change a rule's state to enabled or disabled using the toggle switch next to the rule name.
Note: An enabled rule appears with a blue switch that is positioned to the right. A disabled rule appears with a gray switch positioned to the left.
To change a detection rule's current state:
- In the Detection Rules table, locate the rule you want to update.
- Click the switch next to the rule's name.
- In the confirmation window, click Yes.