On the Detection Rules subtab of SecurityCoach, you can create and manage your detection rules. Detection rules identify what risky activity you want to track using the data provided by your integrated vendors. For example, you may want to detect when your users visit risky or prohibited websites, download malicious attachments, or click phishing links.
We offer system detection rules based on integrated vendors’ default policies. These rules are enabled by default and require no further configuration. You can also create custom detection rules for custom policies that you have set up in your vendors’ platforms.
If a user triggers a detection rule, an event will display on the user’s timeline. You can also use detection rules to create real-time coaching campaigns.
For general information about SecurityCoach, see our SecurityCoach Product Manual.
Preparing for Detection Rules
Before you begin working with your detection rules, we recommend following the steps below:
- Integrate your third-party vendors with SecurityCoach. For more information, see our Setting Up Integrations section.
- Add a delivery method for your SecurityTips. For more information, see our vendor integration guides listed below:
Creating a Custom Detection Rule
If you set up a custom policy for a vendor, you can create a custom detection rule for that policy. To work properly, custom detection rules must match custom policies.
To create a custom detection rule, follow the steps below:
- Log in to your KnowBe4 Security Awareness Training (KSAT) console and navigate to the SecurityCoach tab > Detection Rules subtab.
- Click the + Create Detection Rule button at the top-right corner of the page.
- Fill out the fields on the Create New Detection Rule page. For more information about these fields, see the screenshot and list below:
-
Name: Enter a name for your detection rule.
- Enable Detection Rule: Select this check box to enable this rule when it is created. Detection rules must be enabled to add events to users’ timelines and to be used for real-time coaching campaigns.
-
Vendor: Select a vendor for your detection rule.
Note:You must integrate vendors with SecurityCoach before they can be displayed in this drop-down menu. The KSAT vendor is integrated by default. For more information about integrating vendors, see our Setting Up Integrations section. -
Category: Select a category for your detection rule.
- Risk Level: Select a risk level for your detection rule.
-
Description: Enter a description of your detection rule. For example, you could describe the purpose of the rule or include information that other admins may need to know about the rule.
-
New Criterion: Create a criterion for your detection rule using the three drop-down lists. Then, click Add Criterion to add the criterion to your detection rule. If you would like, you can repeat this process to add additional criteria for your detection rule. For more information about the operators that you can use for the criterion, see the Detection Rule Operators section below.
- Trigger this rule any time a user has a qualifying event: Select this option to trigger this rule any time an event meets the set criteria.
-
Trigger this rule when a user meets the minimum count of qualifying events within the set duration (days): Select this option to trigger this detection rule only when the criteria have been met a set number of times over a set number of days. For example, you can use this setting to trigger the detection rule for any users that have three qualifying events within 30 days.
For more information about the Minimum Count and the Duration (Days) fields, see below:
- Minimum Count: Enter the minimum number of qualifying events that a user must have to trigger this rule.
- Duration (Days): Enter the number of days a user has to meet the minimum count to trigger this rule.
- Create Rule: Confirm your settings and create the new detection rule.
- Cancel: Cancel the creation of the detection rule and return to the prior page.
-
-
Click Create Rule.
Detection Rule Operators
You can use the following operators when creating a detection rule criterion.
Operator | Description |
---|---|
Is | This operator checks if the field and value match. You can enter only one value when using this operator. |
Is Not | This operator checks if the field and value do not match. You can enter only one value when using this operator. |
Contains | This operator checks if the field contains the value. You can enter only one value when using this operator. |
Does Not Contain | This operator checks if the field does not contain the value. You can enter only one value when using this operator. |
Starts With | This operator checks if the field starts with the value. You can enter only one value when using this operator. |
Ends With | This operator checks if the field ends with the value. You can enter only one value when using this operator. |
Starts with Any Of | This operator checks if the field starts with any of the values. |
Ends with Any Of | This operator checks if the field ends with any of the values. |
Contains Any Of | This operator checks if the field contains any of the values. |
Contains None Of | This operator checks if the field contains none of the values. |
Is Any Of | This operator checks if the field matches any of the values. |
Is None Of | This operator checks if the field does not match any of the values. |
Managing and Editing Detection Rules
To manage and edit your detection rules, navigate to the SecurityCoach tab > Detection Rules subtab.
To learn more about the options on the Detection Rules subtab, see the screenshot and list below:
- Status: Click this drop-down menu to filter detection rules by status. You can select All, Active, Inactive, or Maintenance.
- Type: Click this drop-down menu to filter detection rules by type. You can select All, Custom, or System.
- Vendors: Click this drop-down menu to filter detection rules by vendor.
- Category: Click this drop-down menu to filter detection rules by category.
- Search: Enter keywords in this field to search for a specific detection rule.
- Table: This table includes a list of your detection rules. For each detection rule, you can see the Name, Rule Description, Type, Vendor, Category, Modified Date, and Actions you can take.
- Toggle: Use this toggle to enable or disable a detection rule. If the toggle is turned off, the detection rule is disabled. If the toggle is turned on, the detection rule is enabled.
- Plus icon: Click this icon to create a real-time coaching campaign for a detection rule. When you click this icon, you will be taken to the Create New Real-Time Coaching Campaign page. For more information about real-time coaching campaigns, see our Creating and Managing Real-Time Coaching Campaigns article.
- Eye icon: Click this icon to view the system detection rule. When you click this icon, you will be taken to the View Detection Rule page, where you can view the details for the system detection rule.
- Plus icon: Click this icon to create a real-time coaching campaign for the detection rule. When you click this icon, you will be taken to the Create New Real-Time Coaching Campaign page. For more information about real-time coaching campaigns, see our Real-Time Coaching Campaigns Guide.
-
Three dots icon: Click this icon to open a drop-down menu with the following options:
-
Edit: Click this icon to open the Edit Detection Rule page. On this page, you can edit a custom detection rule as needed. Options that are grayed out cannot be changed. Then, click the Save button at the bottom-left corner of the page to save your changes.
Note:If the detection rule was cloned from a system detection rule, you can also click the Restore Default Settings button to return the rule to its default settings. -
Clone: Click this icon to clone a system detection rule. When you click this icon, you will be taken to the Clone Detection Rule page. On this page, you can make changes to the rule and save it as a custom rule.
-
Delete: Click this icon to delete a custom detection rule.
-
- + Create Detection Rule: Click this button to create a new detection rule.
Example Detection Rule
See the screenshot below for an example of a detection rule:
In this example, the following criteria were added to the detection rule:
- Threat Category is bulk forwarding by user.
- Threat Category is Suspicious email forwarding activity.
This detection rule will be triggered when either criterion is met. Using this configuration, a user would need to either have suspicious email forwarding activity or be forwarding emails in bulk to trigger this rule.