Skip to main content

Responses are generated using AI and may contain mistakes.

Threat Detection ManagementThreat Detection Management Guide

Update Analytics Rules

Review and accept new pre-built analytics rules, pre-built analytics rules deletions, and updates to existing pre-built analytics rules.

To ensure you have the latest threat detection capabilities, Threat Detection Management regularly updates your pre-built analytics rules with the latest threat research, automatically adds new pre-built rules in a disabled state, and deletes obsolete pre-built rules. When you create, delete, enable, or disable an analytics rule, those changes are also added to the batch of pending updates. To apply these changes to your environment, you must accept the changes.

You can accept pre-built rule updates to multiple enabled pre-built rules or disabled pre-built rules in bulk without reviewing the changes first, or for a more cautious approach, accept changes for an individual pre-built rule only.

Apply Updates to an Individual Pre-Built Rule

Selectively review and apply changes to individual pre-built rules.

  1. To find pre-built analytics rules with pending changes, filter analytics rules by Update.

  2. To review what's changed in a rule, click View changes.

    Analytics rule details with the View changes action highlighted in a red rectangle.

    In Update Changes, view:

    • Property – The analytics rule field that is changed with the update.

    • Current Value – The current value of the analytics rule field.

    • New Value – The value of the analytics rule field after the update.

  3. To apply the change:

    • In Update Changes, click Update.

      The Update Changes dialog with the Update Rule button highlighted in a red rectangle.

    • In the rule details, click Update.

      The details of analytics rule with the Update action highlighted in red rectangle.

    • In the Analytics Rules tab, click the More menu The more options menu; three vertical dark grey dots on an off-white background. for the rule, right-click the rule, or select the checkbox for the rule, then select Update.

Apply Updates to Enabled Rules in Bulk

Review and accept pending changes to multiple enabled rules at once.

  1. Under Updates, view the total number of enabled rules with pending changes.

    The Updates panel on the Analytics Rules tab highlighted in a red rectangle.

    You can't review what's changed in detail. To review changes in detail, you must review the changes for each individual rule.

  2. Click View and update.

  3. Review all rules with pending changes:

    • Name – The name of the rule with pending changes.

    • Update – The nature of the change. Update indicates that the change modifies the rule. Obsolete indicates that the change removes the rule.

    • Change – The nature of the change. Updating indicates that the change modifies the rule. Deleting indicates that the change deletes the rule.

    • Actions – View rule details or delete the change. To view rule details, click A blue eye.. To delete the change, click A blue trash can..

    To find specific rules, filter the rules by Update or Change columns.

  4. Select the rules to which you're applying pending changes:

    • To select all rules, click the checkbox in the header row.

      threatdetectionmanagement-updates-viewandupdate-selectall.png

    • To select specific rules, click the checkbox for each rule.

      threatdetectionmanagement-updates-viewandupdate-selectspecificrules.png

  5. Determine whether the analytics engine re-trains on past events using the rule changes:

    • To apply rule changes without re-training the analytics engine on past events, select Apply Changes Without Training.

      Consider applying changes without training if you want to apply the changes immediately, minimize disruptions to other Exabeam applications, ensure the analytics engine continues to run in real time, and ensure you don't use any of your entitled training days.

      Keep in mind that applying changes without training increases the risk of false positives and limits the analytics engine from adapting to evolving patterns in entity behavior.

    • To re-train the analytics engine on past events with the rule changes, select Apply Changes and Re-train. By default, the analytics engine begins training using the rule changes on the past 21 days of event data. After the analytics engine finishes training, analytics rules continue to trigger on incoming events in real-time.

      To change the start date of events the analytics engine uses to re-train:

      1. Click Advanced Settings.

      2. Under Training Start Date, click the date field, then select a date using the calendar. You can re-train the analytics engine on up to 30 days of events, with a recommended minimum of 14 days of events.

      3. Click Confirm.

  6. Click Apply Rule Changes. If you selected Apply Changes and Re-train, the analytics engine temporarily stops processing incoming events to re-train on past events using the rule changes.

Apply Updates to Disabled Rules in Bulk

Review and accept pending changes to multiple disabled rules at once.

  1. Under Updates, view the total number of disabled pre-built rules with pending updates.

    The Updates panel on the Analytics Rules tab highlighted in a red rectangle.

    You can't review what's changed in detail. To review changes in detail, you must review the changes for each individual rule.

  2. Click Update. All pending changes for disabled rules are automatically applied.