- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax'
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Apply Analytics Rule Changes
Apply the changes you make to analytics rules to your environment.
When you enable an analytics rule or make changes to any enabled analytics rule, the change is added to a batch of pending changes. For those changes to take effect in your environment, you must apply the changes.
Under Engine Status, click View Changes.
Review all analytics rules with pending changes:
Name – The name of the analytics rule with pending changes.
Min Training Required – The number of days the analytics rule must train on live data before it begins triggering.
Update – The nature of the change:
Update – The change modifies the analytics rule.
Obsolete – The change removes the analytics rule.
Testing – The change puts the analytics rule in test mode.
Change – The nature of the change. Updating indicates that the change modifies the analytics rule. Deleting indicates that the change deletes the analytics rule.
Actions – View analytics rule details or delete the change. To view analytics rule details, click
. To delete the change, click 
.
To find specific analytics rules, filter the rules by Update or Change columns.
Select the analytics rules to which you're applying pending changes:
To select all analytics rules, click the checkbox in the header row.
To select specific analytics rules, click the checkbox for each rule.
Determine whether the analytics engine re-trains on past events using the analytics rule changes:
To apply analytics rule changes without re-training the analytics engine on past events, select Real-time training.
If an analytics rule has a training period, it trains on live data for the specified period before it begins triggering. If an analytics rule doesn't have a training period, it doesn't train on live data and is ready to trigger immediately after you apply the changes.
This option minimizes disruptions to other Exabeam applications, ensures the analytics engine continues to run in real time, and ensures you don't use any of your entitled training days. Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.
To re-train the analytics engine on past events with the analytics rule changes, select Re-train on historical data. By default, the analytics engine begins training using the analytics rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.
To change the start date of events the analytics engine uses to re-train:
Click Advanced Settings.
Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.
Click Confirm.
Click Apply Rule Changes. If you selected Real-time training and the analytics rule has a required training period, its status is changed to Training and it can't trigger. If you selected Apply Changes and Re-train, the analytics engine temporarily stops processing incoming events to re-train on past events using the analytics rule changes.