Setting Detection Rules

A detection rule is a set of security conditions you configure. When the conditions are met, the rule triggers an incident for an administrator to examine. For example, the Admin Discovered detection rule generates an incident whenever a new cloud service admin user is discovered.

The detection rule engine runs autonomously, checking detection rules whenever a new integration is enabled, and periodically thereafter.

To view the Detection Rules page:

From the left navigation, select Threat Center > Detection Rules.

By default, the Detection Rules table displays enabled detection rules from the Threat category.

To see more details about a detection rule, click its name and examine the side panel that is displayed.

To see the list of incidents the detection rule generated, click the number in the Incidents column, or open the More menu and select View Incidents. For more information, see Processing Incidents.

The Detection Rules Table

The Detection Rules page displays a table with the following information next to the name of each detection rule:

Column

Description

Example values

Apps

The applications that the detection rule tracks

AWS, Okta, GCP, GitHub and more

Severity

Severity of the detection rule

Critical, High, Medium, or Low

Incidents

The number of incidents that this detection rule triggered. Closed or resolved incidents are not shown.

Any number

Categories

The categories to which the detection rule belongs

Threats, Privileged Access, Stale Access, Key Management, Security Baseline, Authentication

MITRE

Related MITRE ATT&CK tactics

For example: Credential access, Initial access, Defense evasion

Channels

The enabled communication method

Email

Automated Response

Automated response is enabled for at least one application

True or False

Status

The detection rule status

Enabled: Incidents are created. Notifications are sent if they were configured for the detection rule. Disabled: Detection rule is not active, and incidents are not created.

Compliance (hidden until selected)

Compliance frameworks that are relevant to the detection rule

List of relevant compliance frameworks

Owner (hidden until selected)

Displays who created this detection rule

Delinea (created by the system) [AS1] [AS2] or Other (created by user)

Filtering, Searching, and Sorting Detection Rules

To change which checks are displayed in the Detection Rules table, you can filter and sort its displayed data with the filters above the table. When you filter, the selections you make are shown in the filter bar. To search for a detection rule by name, type text into the search field.

By default, the table is sorted by incident count, in descending order. To sort the table differently, click a column heading. If needed, click it again to reverse the sort order.

Configuring Detection Rules

You can take the following actions to configure an existing detection rule:

  • Enable or disable

  • Edit or duplicate

  • Delete

Enabling or Disabling a Detection Rule

You can enable or disable a detection rule. The current status is shown in the Status column of the table in the Detection Rules page.

To enable or disable a detection rule:

In the Status column, select Enabled or Disabled. You can also do this from the detection rule side panel when editing a detection rule.

Editing or Duplicating a Detection Rule

You can edit any existing detection rule to customize it to your needs, including system-created detection rules and rules you created. You can also duplicate an existing detection rule to create a new detection rule that is similar to an existing one. Duplicating a detection rule duplicates its logic, but not the configuration settings (like filter scopes, channels, severity, and so on). When you duplicate an existing detection rule, you configure it and give it a unique name.

Both editing and duplicating are done in the detection rule side panel.

In addition to changing the detection rule properties (like name, status, and severity) you can configure these properties:

  • Definition: In some detection rules, this field has options to configure.

  • Filter Scopes: Limit which entities should be detected.

  • Automated Response: Enable or disable automated response options, depending on the options enabled in the integration and on the permissions the cloud service user granted.

  • Channels: Enable or disable triggered notifications. To enable notifications, set Communication on, then enter an email address.

Global notifications affect all enabled detection rules.

To edit a detection rule:

  1. In the Detection Rules table, click the row that contains the detection rule you want to edit. The detection rule side panel is displayed.

  2. Configure the detection rule in the side panel.

  3. When finished, click Save Changes.

To duplicate a detection rule:

  1. In the Detection Rules table, open the More menu at the end of the row that contains the detection rule you want to duplicate.

  2. Select Duplicate.

  3. Enter a name for the duplicated detection rule.

  4. Click Duplicate. The detection rule side panel is displayed.

  5. Configure the detection rule in the side panel.

  6. When finished, click Save Changes.

You can also create a detection rule from a custom collection. For more information, see Creating a Detection Rule from a Custom Collection.

Deleting a Detection Rule

You can delete a detection rule that a cloud service user created by duplication or from a Collection. You can’t delete a system-created detection rule.

To delete a detection rule:

  1. From the Detection Rules table, click the More menu at the end of a detection rule row.

  2. Choose Delete. You can also do this from the detection rule side panel when editing a detection rule.

    If this option is not displayed, you cannot delete the detection rule.

Custom Polices

With custom policies, you can identify deviations from the desired configuration. This enhances overall security posture and helps detect drift.

Defining Custom Collections

You can use custom queries to specify sensitive collections inside your infrastructure, such as allowed permissions, resource configurations, or access policies.

Periodic Reporting

Schedule reports on a weekly or daily basis. Reports give insights into any changes or deviations occurring within the defined collections.

Real-Time Detection Rules

When a detection rule detects a drift from the defined collections, it triggers a real-time incident. Detection rules are instrumental in identifying unauthorized changes or configurations within the system. By leveraging detection rules, you can ensure timely responses to security incidents.

Built-In Remediation

The Delinea Platform offers built-in remediation actions to address detected drifts, like disabling a cloud service account and adding to a group.

Example Scenario

To illustrate the practical application of drift detection, consider the following example scenario in which a rule detects unauthorized access to sensitive data.

Objective: Identify when any local cloud service user has a data update privilege on lambda functions.

To achieve the goal:

  1. Define an access policy query: Specify a query to identify local AWS users with data update privilege on lambda functions.


  2. Save the query as a custom collection: Once the access policy query is defined, save it as a custom collection within the platform. This collection will serve as the reference for detecting drifts in access permissions.

  3. Create a detection rule: Configure a detection rule to monitor deviations from the defined collection. In this example, the detection rule should trigger an incident whenever a local AWS user gains permission to update a lambda function.

  4. Monitor and respond: Regularly monitor the drift detection incidents generated by the platform. Upon receiving an incident indicating unauthorized access, take appropriate remediation actions, such as revoking access or blocking cloud service accounts.

Custom detection rules are a fundamental aspect of the Delinea Platform, empowering cloud service users to maintain the integrity and security of their systems and detecting drift. By leveraging custom collections, real-time detection rules, and automated remediation capabilities, you can effectively identify and respond to unauthorized changes, enhancing your overall security posture.