Detection Rules

 

Detection Rules Description: A catalog of security rules. By default, they're based on built in rules, but you can create custom rules based on collections. A rule's result is an incident.

A detection rule is a set of security conditions you configure, so that when those conditions are met, the rule triggers an incident for an administrator to examine. For example, the Admin Discovered detection rule generates an incident whenever a new cloud service “admin” user is discovered. The detection rule engine runs autonomously, checking detection rules whenever a new integration is enabled, and periodically thereafter.

To see the Detection Rules page and its table, click Threat Center > Detection Rules from the main menu. By default, the Detection Rules table displays enabled detection rules from the Threat category. These are sorted by the number of incidents, in descending order.

To see more details about a detection rule, click its name and examine the side panel that is displayed.

To see the list of incidents the detection rule generated, click the number in the Incidents column, or click the More menu and choose View Incidents. For more information, see Incidents.

The Detection Rules Table

The Detection Rules page displays a table with the following information next to the name of each detection rule:

Column

Description

Example values

Apps

The applications that the detection rule tracks

AWS, Okta, GCP, GitHub and more

Severity

Severity of the detection rule

Critical, High, Medium, Low

Incidents

The number of incidents that this detection rule triggered. Closed or resolved incidents are not shown.

Number

Categories

The categories to which the detection rule belongs

Threats, Privileged Access, Stale Access, Key Management, Security Baseline, Authentication

MITRE

Related MITRE ATT&CK tactics

For example: Credential access, Initial access, Defense evasion

Channels

The enabled communication method

Email

Automated Response

Automated response is enabled (for at least one application)

True or False

Status

The detection rule status

Enabled: Incidents are created. Notifications will be sent if they were configured for the detection rule. Disabled: Detection rule is not active, and incidents are not created.

Compliance (hidden until selected)

Compliance frameworks that are relevant to the detection rule

List of relevant compliance frameworks

Owner (hidden until selected)

Displays who created this detection rule

Delinea (created by the system) [AS1] [AS2] or Other (created by user)

Filter, search, and sort the Detection Rules table

To change which checks are displayed, you can filter and sort the table's displayed data with the filters above the table. When you filter, the selections you make are shown in the filter bar. To search for a detection rule by name, type text into the search field.

By default, the table is sorted by incident count, in descending order. To sort the table differently, click a column heading to sort by. If needed, click it again to reverse the sort order.

Configure Detection Rules

You can do the following configuration activities to an existing detection rule:

  • Enable or disable

  • Edit or duplicate

  • Delete

Enable or Disable a Detection Rule

You can enable or disable a detection rule. The current status is shown in the Status column of the table. To enable or disable a detection rule, select Enabled or Disabled in the Status column. You can also do this from the detection rule side panel when editing a detection rule.

Edit or Duplicate a Detection Rule

You can edit any existing detection rule to customize it to your needs, including system-created detection rules and rules you created. You can also duplicate an existing detection rule, for example, to create a new detection rule that is similar to an existing one. Duplicating a detection rule duplicates its logic, but not the configuration settings (like filter scopes, channels, severity, etc.). When you duplicate an existing detection rule, you will configure it and give it a unique name.

Both editing and duplicating are done in the detection rule side panel.

In addition to changing the detection rule properties (like name, status, severity) you can configure these properties:

  • Definition: In some detection rules, this field has options to configure.

  • Filter Scopes: Limit which entities should be detected.

  • Automated Response: Enable or disable automated response options, depending on the options enabled in the integration and on the permissions the cloud service user granted.

  • Channels: Enable or disable triggered notifications. To enable notifications, toggle Communication on, then:

    • Email: Type an address.

Global notifications will affect all enabled detection rules.

To edit a detection rule:

  1. Click in the detection rule row. The detection rule side panel is displayed.

  2. Configure the detection rule in the side panel.

  3. When finished, click Save Changes.

To duplicate a detection rule:

  1. Click the More menu at the end of a detection rule row.

  2. Choose Duplicate.

  3. Enter a name for the duplicated detection rule

  4. Click Duplicate. The detection rule side panel is displayed.

  5. Configure the detection rule in the side panel.

  6. When finished, click Save Changes.

Delete a Detection Rule

You can’t delete a system-created detection rule, but you can delete a detection rule created by a cloud service user (by duplication or from a Collection).

To delete a detection rule:

  1. From the Detection Rules table, click the More menu at the end of a detection rule row.

  2. Choose Delete. You can also do this from the detection rule side panel when editing a detection rule. If this option is not displayed, you cannot delete the detection rule.

You can create a detection rule from a custom collection. For more information, see Create a Detection Rule from a Custom Collection.

Custom Polices

Custom policies empower users to identify deviations from the desired configuration, thereby enhancing overall security posture and helping to detect drift.

1. Defining Custom Collections:

You can use custom queries to specify sensitive collections inside your infrastructure, such as allowed permissions, resource configurations, or access policies.

2. Periodic Reporting:

Schedule reports on a weekly or daily basis, providing insights into any changes or deviations occurring within the defined collections.

3. Real-Time Detection Rules:

Detection rules trigger real-time incidents upon detecting a drift from the defined collections. These rules are instrumental in identifying unauthorized changes or configurations within the system. By leveraging detection rules, you can ensure timely responses to security incidents.

4. Built-In Remediation:

Our platform offers built-in remediation actions to address detected drifts, like disabling a cloud service account and adding to a group. For more details, review the full topic.

Example Scenario:

To illustrate the practical application of drift detection, let's consider the following scenario of detecting Unauthorized Access to Sensitive Data:

Objective: Identify when any local cloud service user has a data update privilege on lambda functions.

How would we achieve that?

  1. Define an Access Policy Query: Specify a query to identify local AWS users with data update privilege on Lambda functions.

  2. Save the Query as a Custom Collection: Once the access policy query is defined, save it as a custom collection within the platform. This collection will serve as the reference for detecting drifts in access permissions.

  3. Create a Detection Rule: Configure a detection rule to monitor deviations from the defined collection. In this scenario, the detection rule should trigger an incident whenever a local AWS user gains permission to update a lambda function.

  4. Monitor and Respond: Regularly monitor the drift detection incidents generated by the platform. Upon receiving an incident indicating unauthorized access, take appropriate remediation actions, such as revoking access or blocking cloud service accounts.

Custom detection rules is a fundamental aspect of our platform, empowering cloud service users to maintain the integrity and security of their systems and detecting drift. By leveraging custom collections, real-time detection rules, and automated remediation capabilities, users can effectively identify and respond to unauthorized changes, thereby enhancing overall security posture.