How to Use Detection Rules
On the Detection Rules subtab of SecurityCoach, you can create and manage your detection rules. Detection rules identify what risky activity you want to track using the data provided by your integrated vendors. For example, you may want to detect when your users visit risky or prohibited websites, download malicious attachments, or click phishing links.
We offer system detection rules based on integrated vendors’ default policies. These rules are enabled by default and require no further configuration. You can also create custom detection rules for custom policies that you have set up in your vendors’ platforms.
If a user triggers a detection rule, an event will display on the user’s timeline. You can also use detection rules to create real-time coaching campaigns.
Click the links below to learn how to create and manage detection rules. For general information about SecurityCoach, see our SecurityCoach Product Manual.
Preparing for Detection Rules
Before you begin working with your detection rules, we recommend following the steps below:
- Integrate your third-party vendors with SecurityCoach. For more information, see our Vendor Integration Guides.
- Map your users to identifiers so that they can be linked to events from your integrated vendors. For more information, see our Mapping Users in SecurityCoach article.
- Set up the delivery method for your SecurityTips. For more information, see our Microsoft Teams Integration Guide for SecurityCoach or our Slack Integration Guide for SecurityCoach.
Creating a Custom Detection Rule
If you set up a custom policy for a vendor, you can create a custom detection rule for that policy. To work properly, custom detection rules must match custom policies.
Important: Custom detection rules should only be used if you have set up a corresponding custom policy in a vendor’s platform. KnowBe4 support for custom detection rules is limited and does not include the creation of custom rules.
To create a custom detection rule, follow the steps below:
- Log in to your KMSAT console and navigate to SecurityCoach > Detection Rules.
- Click the + Create Detection Rule button at the top-right corner of the page.
- Fill out the fields on the Create New Detection Rule page. For more information about these fields, see below:
Name: Enter a name for your detection rule.
Vendor: Select a vendor for your detection rule.
Note: You must integrate vendors with SecurityCoach before they can display in this drop-down menu. For more information about integrating vendors, see our Vendor Integration Guides.
Category: Select a category for your detection rule.
Description: Enter a description of your detection rule. For example, you could describe the purpose of the rule or include information that other admins may need to know about the rule.
New Criterion: Create a criterion for your detection rule using the drop-down lists. Then, click Add Criterion to add the criterion to your detection rule. If you would like, you can repeat this process to add additional criteria for your detection rule. For an example detection rule, see the Example Detection Rule subsection below.
Trigger this rule when a user meets the minimum count of qualifying events within the set duration (days): Select this option to trigger this detection rule only when the criteria is met a set number of times over a set number of days. For example, you can use this setting to trigger the detection rule for any users that have three qualifying events within 30 days.
For more information about the Minimum Count and the Duration (Days) fields, see below:
- Minimum Count: Enter the minimum number of qualifying events that a user must have to trigger this rule.
- Duration (Days): Enter the number of days a user has to meet the minimum count to trigger this rule.
Trigger this rule any time a user has a qualifying event: Select this option to trigger this rule any time an event meets the set criteria.
Enable Detection Rule: Select this check box to enable this rule when it is created. Detection rules must be enabled to add events to users’ timelines and be used for real-time coaching campaigns.
Click Create Rule.
Managing and Editing Detection Rules
To manage and edit your detection rules, navigate to SecurityCoach > Detection Rules.
To learn more about the options on the Detection Rules subtab, see below:
- Status: Click this drop-down menu to filter which type of detection rules you would like to view. You can select All, Active, or Inactive.
- Vendors: Click this drop-down menu to filter detection rules by vendor.
- Category: Click this drop-down menu to filter detection rules by category.
- Search: Enter keywords to search for a specific detection rule.
- Create Detection Rule: Click this button to create a new detection rule.
- Name: This table includes a list of your detection rules. For each detection rule, you can see the Description, Vendor, and Category.
- Toggle: Use this toggle to enable or disable a detection rule. If the toggle is turned off, the detection rule is disabled. If the toggle is turned on, the detection rule is enabled.
- Create: Click the plus icon () to create a real-time coaching campaign for a detection rule. When you click this icon, you will be taken to the Create New Real-Time Coaching Campaign page. For more information about real-time coaching campaigns, see our Creating and Managing Real-Time Coaching Campaigns article.
- Edit: Click the pencil icon () to open the Edit Detection Rule page. On this page, you can edit a detection rule as needed. Options that are grayed out cannot be changed. Then, click the Save button at the bottom-left corner of the page to save your changes.
Note:If the detection rule is a system rule, you can also click the Reset System Rule button to return the rule to its default settings.
Example Detection Rule
See the screenshot below for an example of a detection rule. In this example, the following criteria were added to the detection rule:
- Threat Category is Malicious PDF.
- Threat Category is Malicious Office Document.
This detection rule will be triggered when either criterion is met. This means that a user would need to either have a malicious PDF file or malicious Office document on their device to trigger this rule.