- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax'
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Apply Analytics Rule Changes
Apply the changes you make to analytics rules to your environment.
When you enable an analytics rule or make changes to any enabled analytics rule, the change is added to a batch of pending changes. For those changes to take effect in your environment, you must apply the changes.
Under Engine Status, click View Changes.
Review all rules with pending changes:
Name – The name of the rule with pending changes.
Min Training Required – The number of days the rule must train on live data before it begins triggering.
Update – The nature of the change. Update indicates that the change modifies the rule. Obsolete indicates that the change removes the rule.
Change – The nature of the change. Updating indicates that the change modifies the rule. Deleting indicates that the change deletes the rule.
Actions – View rule details or delete the change. To view rule details, click
. To delete the change, click 
.
To find specific rules, filter the rules by Update or Change columns.
Select the rules to which you're applying pending changes:
To select all rules, click the checkbox in the header row.
To select specific rules, click the checkbox for each rule.
Determine whether the analytics engine re-trains on past events using the rule changes:
To apply rule changes without re-training the analytics engine on past events, select Real-time training.
If a rule has a training period, the rule trains on live data for the specified period before it begins triggering. If a rule doesn't have a training period, the rule doesn't train on live data and is ready to trigger immediately after you apply the changes.
This option minimizes disruptions to other Exabeam applications, ensures the analytics engine continues to run in real time, and ensures you don't use any of your entitled training days. Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.
To re-train the analytics engine on past events with the rule changes, select Re-train on historical data. By default, the analytics engine begins training using the rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.
To change the start date of events the analytics engine uses to re-train:
Click Advanced Settings.
Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.
Click Confirm.
Click Apply Rule Changes. If you selected Real-time training and the rule has a required training period, its status is changed to Training and it can't trigger. If you selected Apply Changes and Re-train, the analytics engine temporarily stops processing incoming events to re-train on past events using the rule changes.