Skip to main content

Threat Detection ManagementThreat Detection Management Guide

View and Apply Changes to Analytics Rules

To ensure that you always have the latest in threat detection, Exabeam regularly turns threat research into updates to your analytics rules.

When new rules are available, Exabeam automatically delivers the rules to your Threat Detection Management app in a disabled state.

The Threat Detection Management app summarizes the total number of rule changes available for both disabled and enabled rules.

tdm-analytics-rules-updates.png

You can Bulk Accept All Rule Changes without review, or for a more cautious approach, you can Review Changes to Individual Rules.

Review Changes to Individual Rules

To review changes to a specific rule:

  1. Log in to the New-Scale Security Operations Platform and go to the Threat Detection Management app.

  2. Use the filters in the Analytics Rules table to filter by Update. You can also optionally filter by the rule Status (Disabled or Enabled).

    tdm-analytics-rules-updates-filter.png

  3. Click the more actions menu ( ••• ) for the rule you want to examine.

  4. If you want to accept the rule update without reviewing changes, select Update. Otherwise to first review the changes, select Details.

  5. Click Show Details.

    tdm-analytics-rules-updates-rule-changes-diff.png

    Threat Detection Management displays the differences between your current rule and the new rule with a red background indicating that part of the rule was removed and dark green background indicating an addition.

  6. If you are ready to accept and apply the changes, click Update at the top of the rule summary.

    tdm-analytics-rules-updates-apply.png

    For disabled rules, you can also Enable the rule from the same location.

    The Threat Detection Management app recalculates the Updates summary to show the number of remaining rule updates.

    Repeat the process to review any additional rules.

Bulk Accept All Rule Changes

When Exabeam changes an analytics rule, the Threat Detection Management app displays the total number of disabled and enabled rules that have unapplied changes. You can bulk apply the changes for each group of rules by clicking the View and update link in the Updates summary.

tdm-analytics-rules-updates.png

Note

Using this option applies the updates without any ability to preview the changes beforehand. If you want to first see the changes, consider the option to Review Changes to Individual Rules instead of using the bulk update method.