- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax'
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Correlation Rule Sequences
- Correlation Rules Templates
- Create Correlation Rules
- Create a Correlation Rule Using the Exabeam Nova Rule Creator
- Create a Correlation Rule from Scratch Using the Manual Rule Creator
- Create a Correlation Rule from a Template
- Create a Correlation Rule from Search
- Group by Field in Correlation Rules
- Detect Absent Events or Fields Using Correlation Rules
- Granular Suppression
- Correlation Rule Evaluation Delay
- Manage Correlation Rules
- Find Correlation Rules
- Share Correlation Rules
- View Correlation Rules Metrics
- Threat Scoring
Edit an Analytics Rule
Edit a custom analytics rule you created.
You can edit custom analytics rules only. You can't edit pre-built analytics rules.
If an enabled analytics rule has a required training period, editing the rule doesn't reset its training. The only way to reset the training for an analytics rule is to disable the rule.
There are two ways to edit analytics rule: using Exabeam Nova Rule Creator or manually.
Edit an Analytics Rule Using Exabeam Nova Rule Creator
Send natural language prompts to Exabeam Nova Rule Creator describing the changes you want to make to the analytics rule. Exabeam Nova Rule Creator drafts the changes, which you can review before saving.
For the custom analytics rule you're editing:
Click the More menu
, then select Edit.Right-click the analytics rule, then select Edit.
Select the checkbox for the analytics rule, then select Edit.
Select the analytics rule to view its details, then select Edit.
Next to Exabeam Nova can help you edit or update rules, click Edit.
In Describe the rule you want to create, enter a natural language description of the change you want to make.
To send the description to Exabeam Nova Rule Creator, click
. Exabeam Nova Rule Creator validates whether your description meets analytics rule field requirements, then generates a draft of the analytics rule.Review the analytics rule draft. To continue tuning the analytics rule, continue prompting Exabeam Nova Rule Creator with the changes you want to see in the analytics rule.
You can also ask Exabeam Nova Rule Creator other questions about Threat Detection Management and analytics rules; for example, what the different analytics rule types are, or what an analytics rule field does.
To save the changes, click Create Rule.
Manually Edit an Analytics Rule
Make changes to an analytics rule using the point-and-click Manual Rule Creator.
For the custom analytics rule you're editing:
Click the More menu
, then select Edit.Right-click the analytics rule, then select Edit.
Select the checkbox for the analytics rule, then select Edit.
Select the analytics rule to view its details, then select Edit.
To change the analytics rule name and type, applicable data sources, detection logic and conditions, or baseline and training, click
. When you've completed all changes to these configurations, click Next.Under Rule Details, you can change other analytics rule details like rule description, contextual rule definition, rule family and group, rule template ID, and associated Exabeam use cases and MITRE ATT&CK® tactics and techniques.
Click Save.
If the analytics rule is enabled, the change is added to a batch of pending changes, and you must apply the change to your environment.