- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Enable Analytics Rules
Enable analytics rules to activate them and allow them to trigger in your environment.
You can enable an individual analytics rule or multiple analytics rules at once.
You can enable only a limited number of analytics rules. To review the maximum number of analytics rules you're allowed to enable, under the Threat Detection Management Analytics Rules tab, navigate to the Limit chart:
 |
Under Exabeam Rules, view the number of pre-built analytics rules enabled compared to the maximum your entitlement allows. Under Custom Rules, view the number of custom analytics rules enabled compared to the maximum your entitlement allows.
Enable an Analytics Rule
For the analytics rule you're enabling, click the More menu
or right-click the analytics rule, then select Enable. The change is added to a batch of pending updates. You must now apply the change to your environment for the change to take effect.Under Engine Status, click View Changes.
Review all rules with pending changes:
Name – The name of the rule with pending changes.
Update – The nature of the change. Update indicates that the change modifies the rule. Obsolete indicates that the change removes the rule.
Change – The nature of the change. Updating indicates that the change modifies the rule. Deleting indicates that the change deletes the rule.
Actions – View rule details or delete the change. To view rule details, click
. To delete the change, click 
.
To find specific rules, filter the rules by Update or Change columns.
Ensure you select the checkbox for the analytics rule you enabled. You can also select other analytics rule changes you want to apply to your environment.
Determine whether the analytics engine re-trains on past events using the rule changes:
To apply rule changes without re-training the analytics engine on past events, select Apply Changes Without Training.
Consider applying changes without training if you want to apply the changes immediately, minimize disruptions to other Exabeam applications, ensure the analytics engine continues to run in real time, and ensure you don't use any of your entitled training days.
Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.
To re-train the analytics engine on past events with the rule changes, select Apply Changes and Re-train. By default, the analytics engine begins training using the rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.
To change the start date of events the analytics engine uses to re-train:
Click Advanced Settings.
Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.
Click Confirm.
Click Apply Rule Changes. If you selected Apply Changes and Re-train or Trigger on Historical Events, the analytics engine temporarily stops processing incoming events to re-train on past events using the rule changes.
Enable Multiple Analytics Rules
Select the analytics rules you're enabling:
To select all analytics rules, click the checkbox in the header row.
To select specific analytics rules, click the checkbox for each analytics rule.
Click Enable:
The change is added to a batch of pending updates. You must now apply the change to your environment for the change to take effect.
Under Engine Status, click View Changes.
Review all rules with pending changes:
Name – The name of the rule with pending changes.
Update – The nature of the change. Update indicates that the change modifies the rule. Obsolete indicates that the change removes the rule.
Change – The nature of the change. Updating indicates that the change modifies the rule. Deleting indicates that the change deletes the rule.
Actions – View rule details or delete the change. To view rule details, click
. To delete the change, click .
To find specific rules, filter the rules by Update or Change columns.
Ensure you select the checkbox for the analytics rules you enabled. You can also select other analytics rule changes you want to apply to your environment.
Determine whether the analytics engine re-trains on past events using the rule changes:
To apply rule changes without re-training the analytics engine on past events, select Apply Changes Without Training.
Consider applying changes without training if you want to apply the changes immediately, minimize disruptions to other Exabeam applications, ensure the analytics engine continues to run in real time, and ensure you don't use any of your entitled training days.
Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.
To re-train the analytics engine on past events with the rule changes, select Apply Changes and Re-train. By default, the analytics engine begins training using the rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.
To change the start date of events the analytics engine uses to re-train:
Click Advanced Settings.
Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.
Click Confirm.
To re-train the analytics engine and ensure analytics rules trigger on past events, select Trigger on Historical Events, then:
Under Triggering Start Date, specify the the start date of events the analytics engine uses to trigger analytics rules. Click the date field, select a date using the calendar.
Under Advanced Settings, change the start date of events the analytics engine uses to re-train. Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events. Click Confirm.
Having analytics rules trigger on past events may make some Threat Center detections and their associated cases or alerts obsolete. To allow obsolete cases or alerts to be automatically deleted, select Allow changes to closed cases.
You must select the disclaimer, By enabling this option, you acknowledge that reprocessing may disrupt connections with other system components (e.g., alerts, cases, timelines). Some features may be temporarily unavailable during reprocessing.
Click Apply Rule Changes. If you selected Apply Changes and Re-train or Trigger on Historical Events, the analytics engine temporarily stops processing incoming events to re-train on past events using the rule changes.