- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Troubleshoot Issues with Importing Analytics Rules
Fix issues you encounter when importing analytics rules.
When you import analytics rules, Threat Detection Management validates the analytics rules in the file to ensure you're not importing duplicate analytics rules that already exist in your environment and there are no syntax errors in the analytics rules.
Analytics rules that are successfully validated have a green check mark. Analytics rules that do not pass the validation check may raise a warning or error, including:
Anomaly threshold is not in a valid format
The value of anomalyThreshold field in the analytics rule you're importing isn't in the required format for its rule type.
To fix this issue, ensure the value of anomalyThreshold is:
A string; for example,
"90 days"A minimum of 30 days and maximum of 365 days for ProfiledFeature-type rules
A minimum of 90 days and maximum of 365 days for numericCountProfiledFeature-type rules
A minimum of 90 days and maximum of 120 days for numericDistinctCountProfiledFeature-type rules
A minimum of 30 days and maximum of 120 days for numericSumProfiledFeature-type rules
Failed to validate the file. Please try again.
The JSON file you're importing is empty.
To fix this issue, ensure the JSON file you're importing contains the configuration for an analytics rule.
Family ID is mandatory for a rule definition
The analytics rule you're importing is missing the familyId or ruleGroupId fields.
To fix this issue, add the familyId or ruleGroupId field to the analytics rule JSON configuration. Keep in mind that:
familyIdmust be a string that refers to the ID of an existing analytics rule family; for example,"windows-service-creation-activity"ruleGroupIdmust be a string that refers to the ID of an existing analytics rule group under the analytics rule family referenced infamilyId; for example,"pc-event-log-tampering-group"
File size exceeds the 4 MB limit. Please select a smaller file.
The JSON file you're importing is larger than 4 MB.
To fix this issue, reduce the size of the JSON file.
The file exceeds the maximum limit of 50 rules. Please reduce the number of rules and try again.
The JSON file you're importing contains configurations for more than 50 analytics rules.
To fix this issue, remove analytics rule configurations from the JSON file until it contains up to 50 analytics rule configurations.
This will override an existing rule with the same name
The analytics rule you're importing has the same templateId as an existing analytics rule. If you continue importing the rule, the analytics rule overrides the existing analytics rule of the same templateId.
To fix this issue, ensure the value of templateId in the analytics rule is unique. Keep in mind that the value of templateId must be a string with up to 128 characters.
Train on condition is mandatory for <rule type> rules
The analytics rule you're importing is missing the trainOnCondition field.
To fix this issue, add the trainOnCondition to the analytics rule. Keep in mind that the value of trainOnCondition:
Must be a string
If the analytics rule trains on all events, string is
"true"If the analytics rule triggers on specific events, string is an expression that defines the events on which the analytics rule trains. Ensure you use valid expression syntax.
Value is mandatory for <analytics rule type> rules
The analytics rule you're importing is missing a mandatory field for its type.
To fix this issue, ensure the analytics rule contains all mandatory fields for its type:
Review an example JSON configuration and fields for a profiledFeature rule.
Review an example JSON configuration and fields for a factFeature rule.
Review an example JSON configuration and fields for a contextFeature rule.
Review an example JSON configuration and fields for a numericCountProfiledFeature rule.
Review an example JSON configuration and fields for a numericDistinctCountProfiledFeature rule.
Review an example JSON configuration and fields for a numericSumProfiledFeature rule.