- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Create an Analytics Rule
Create analytics rules to address specific security threats unique to your environment.
Analytics rules are configured in a JSON file that defines which events to detect, what fields to detect in an event, and adds other metadata about the analytics rule.
To create an analytics rule, you:
You can create an unlimited number of analytics rules, but there is a limit to the number of custom analytics rules you're allowed to enable.
1. Define the analytics rule
Analytics rules are configured in a JSON file that defines which events to detect, what fields to detect in an event, and adds other metadata about the analytics rule.
Before you author an analytics rule JSON configuration, ensure you're familiar with the different analytics rule types. Depending on the threat you're detecting, you author an analytics rule of a specific type:
To detect when a user does an action they haven't done before for the first time, create a profiledFeature analytics rule.
To detect well-defined risk signatures or security violations, create a factFeature analytics rule.
To identify a single piece of context data describing an important characteristic in events, create a contextFeature analytics rule.
To detect anomalies in how frequently a behavior happens over a given period, create a numericCountProfiledFeature analytics rule.
To detect anomalies in the total number of times a behavior happens, create a numericDistinctCountProfiledFeature analytics rule.
To track the rate of a specific event or activity over time, create a numericSumProfiledFeature analytics rule.
Each rule type requires different fields in their JSON configuration. As you author your analytics rule, review an example JSON configuration for the rule type you're authoring and ensure you include all necessary fields for your analytics rule to work as you expect:
Review an example JSON configuration and fields for a profiledFeature rule.
Review an example JSON configuration and fields for a factFeature rule.
Review an example JSON configuration and fields for a contextFeature rule.
Review an example JSON configuration and fields for a numericCountProfiledFeature rule.
Review an example JSON configuration and fields for a numericDistinctCountProfiledFeature rule.
Review an example JSON configuration and fields for a numericSumProfiledFeature rule.
2. Import the analytics rule
After you create the analytics rule JSON file, import it into Threat Detection Management.
On the Analytics Rules tab, click Import analytics rules
.Click Select File, then select a JSON file containing no more than 50 rules and is no larger than 4 MB.
Threat Detection Management validates the analytics rules in the file to ensure you're not importing duplicate analytics rules that already exist in your environment and there are no syntax errors in the analytics rules. Analytics rules that are successfully validated have a green check mark. Troubleshoot any warnings or errors you encounter.
After the analytics rules are validated, click Import Rules.
Imported analytics rules are automatically disabled. The analytics rule author is the account that imported the rule. The analytics rule Created time is the date and time the rule was imported.
After you import the analytics rule, you can further tune the analytics rule using exclusions.
3. Enable the analytics rule
An imported analytics rule is automatically disabled. To activate it and allow it to trigger in your environment, you must enable it. You can enable an individual analytics rule or multiple analytics rules at once.
To enable an individual analytics rule, click the More menu 
or right-click the analytics rule, then select Enable.
To enable multiple analytics rules:
Select the analytics rules you're enabling:
To select all analytics rules, click the checkbox in the header row.
To select specific analytics rules, click the checkbox for each analytics rule.
Click Enable:
4. Apply the analytics rule to your environment
After the analytics rule is enabled, it's added to a batch of pending changes. To apply the new analytics rule to your environment, you must apply the changes.
Under Engine Status, click View Changes.
Review all rules with pending changes:
Name – The name of the rule with pending changes.
Update – The nature of the change. Update indicates that the change modifies the rule. Obsolete indicates that the change removes the rule.
Change – The nature of the change. Updating indicates that the change modifies the rule. Deleting indicates that the change deletes the rule.
Actions – View rule details or delete the change. To view rule details, click
. To delete the change, click 
.
To find specific rules, filter the rules by Update or Change columns.
Select the rules to which you're applying pending changes:
To select all rules, click the checkbox in the header row.
To select specific rules, click the checkbox for each rule.
Determine whether the analytics engine re-trains on past events using the rule changes:
To apply rule changes without re-training the analytics engine on past events, select Apply Changes Without Training.
Consider applying changes without training if you want to apply the changes immediately, minimize disruptions to other Exabeam applications, ensure the analytics engine continues to run in real time, and ensure you don't use any of your entitled training days.
Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.
To re-train the analytics engine on past events with the rule changes, select Apply Changes and Re-train. By default, the analytics engine begins training using the rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.
To change the start date of events the analytics engine uses to re-train:
Click Advanced Settings.
Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.
Click Confirm.
Click Apply Rule Changes. If you selected Apply Changes and Re-train or Trigger on Historical Events, the analytics engine temporarily stops processing incoming events to re-train on past events using the rule changes.