- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Analytics Rule Types
Get to know the types of analytics rules.
Analytics rule types classify analytics rules by how they function; for example, some directly evaluate event data, while others profile historical activity to identify unusual patterns. There are six types of analytics rules.
Rule Type Field Name | Description | Example Analytics Rules |
|---|---|---|
factFeature | Triggers on predefined conditions using correlation logic; for example, it's definitely risky if a certain condition is true. Used to detect well-defined risk signatures and security violations. Often used as high-confidence, low-noise alerts. |
|
contextFeature | Identifies context data describing an important characteristic in events. Used in conjunction with other analytics rules to calibrate risk. Certain behaviors may be more or less risky given certain contexts. |
|
profiledFeature | Triggers on first-time user actions in a certain period that deviate from historical behavior. The analytics engine establishes a baseline of typical activity, builds a profile for the behavior, and tracks when it last observed the behavior. |
|
numericCountProfiledFeature | Triggers when the count of a behavior is anomalous over a certain period. |
|
numericDistinctCountProfiledFeature | Triggers when the count of unique values of an event is anomalous over a certain period. |
|
numericSumProfiledFeature | Triggers when the quantity associated with a behavior is anomalous over a certain period. |
|