- Advanced Analytics
- Understand the Basics of Advanced Analytics
- Configure Log Management
- Set Up Admin Operations
- Set Up Authentication and Access Control
- Additional Configurations
- Configure Rules
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Check ExaCloud Connector Service Health Status
- Exabeam Cloud Telemetry Service
- Manage Security Content in Advanced Analytics
- Health Status Page
Edit a Rule
Edit a rule using the Advanced Editor or Simple Editor in Advanced Analytics settings.
To edit any default rule or a default rule you cloned, you must use the Advanced Editor. The Advanced Editor is a JSON-style editor that displays the rule's back-end code as it exists in the configuration file rules.conf.
To edit a fact-based rule you created, you can use the Advanced Editor or the same interface you used to create the rule, also known as the Simple Editor. If you use the Advanced Editor to edit a fact-based rule, you can't edit the rule using the Simple Editor.
Edit a Rule Using the Advanced Editor
Use the Advanced Editor to edit any rule. Keep in mind that if you use the Advanced Editor to edit a fact-based rule, you can't edit the rule using the Simple Editor.
You should use the Advanced Editor only if you're familiar with creating or tweaking a machine learning rule and understand the syntax language for expressing a rule. Changing rules can significantly affect the Analytics Engine. If you have questions, contact Exabeam Customer Success on the Exabeam Community.
From the bottom-left side of the page, click SETTINGS
> Analytics, and then navigate to Admin Operations > Exabeam RulesFor the rule you're editing, click the More
menu, then select Advanced Editor.Edit the rule attributes. The only attribute you can't change in the Advanced Editor is the rule ID.
Important
Default rules, including both model- and fact-based rules, may be deprecated and consequently disabled in future software updates. If you edit a rule to include a dependency on a default rule that later becomes deprecated, the edited rule will be automatically disabled.
This also applies to dependencies on custom rules. If you edit a rule to include a dependency on a custom rule that becomes disabled, the edited rule will be automatically disabled.
Save the rule:
To save your progress without applying the changes, click SAVE. Your system validates the rule logic.
To save the rule and apply the changes, click SAVE & RELOAD ALL. Your system validates the rule logic and reloads all rules.
Edit a Fact-Based Rule Using the Simple Editor
Use the Simple Editor to edit a fact-based rule you created.
From the bottom-left side of the page, click SETTINGS
> Analytics, and then navigate to Admin Operations > Exabeam RulesFor the fact-based rule you're editing, click the More
menu, then select Simple Editor.Edit the rule details.
Important
Default rules, including both model- and fact-based rules, may be deprecated and consequently disabled in future software updates. If you edit a rule to include a dependency on a default rule that later becomes deprecated, the edited rule will be automatically disabled.
This also applies to dependencies on custom rules. If you edit a rule to include a dependency on a custom rule that becomes disabled, the edited rule will be automatically disabled.
Save the rule:
To save your progress without applying the changes, click SAVE. Your system validates the rule logic.
To save the rule and apply the changes, click SAVE & RELOAD ALL. Your system validates the rule logic and reloads all rules.