Managing Detection Rules

Detection Rules Guide

On the Detection Rules subtab of SecurityCoach, you can create and manage your detection rules. Detection rules identify what risky activity you want to track using the data provided by your integrated vendors. For example, you may want to detect when your users visit risky or prohibited websites, download malicious attachments, or click phishing links.

We offer system detection rules based on integrated vendors’ default policies. These rules are enabled by default and require no further configuration. You can also create custom detection rules for custom policies that you have set up in your vendors’ platforms.

If a user triggers a detection rule, an event will display on the user’s timeline. You can also use detection rules to create real-time coaching campaigns.

For general information about SecurityCoach, see our SecurityCoach Product Manual.

Preparing for Detection Rules

Before you begin working with your detection rules, we recommend following the steps below:

  1. Integrate your third-party vendors with SecurityCoach. For more information, see our Setting Up Integrations section.
  2. Add a delivery method for your SecurityTips. For more information, see our vendor integration guides listed below:
  3. Map your users to identifiers for your endpoint security vendors. For more information, see our Mapping Users in SecurityCoach article.

Creating a Custom Detection Rule

If you set up a custom policy for a vendor, you can create a custom detection rule for that policy. To work properly, custom detection rules must match custom policies.

Important:Custom detection rules should only be used if you have set up a corresponding custom policy in a vendor’s platform. KnowBe4 support for custom detection rules is limited and does not include the creation of custom rules.

To create a custom detection rule, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Detection Rules.
  2. Click the + Create Detection Rule button at the top-right corner of the page.
  3. Fill out the fields on the Create New Detection Rule page. For more information about these fields, see below:
    1. Name: Enter a name for your detection rule.

    2. Vendor: Select a vendor for your detection rule.

      Note:You must integrate vendors with SecurityCoach before they can display in this drop-down menu. For more information about integrating vendors, see our Setting Up Integrations section.
    3. Category: Select a category for your detection rule.

    4. Description: Enter a description of your detection rule. For example, you could describe the purpose of the rule or include information that other admins may need to know about the rule.

    5. New Criterion: Create a criterion for your detection rule using the drop-down lists. Then, click Add Criterion to add the criterion to your detection rule. If you would like, you can repeat this process to add additional criteria for your detection rule. For more information about the operators that you can use for the criterion, see the Detection Rule Operators section below.

    6. Trigger this rule when a user meets the minimum count of qualifying events within the set duration (days): Select this option to trigger this detection rule only when the criteria is met a set number of times over a set number of days. For example, you can use this setting to trigger the detection rule for any users that have three qualifying events within 30 days.

      For more information about the Minimum Count and the Duration (Days) fields, see below:

      • Minimum Count: Enter the minimum number of qualifying events that a user must have to trigger this rule.
      • Duration (Days): Enter the number of days a user has to meet the minimum count to trigger this rule.
    7. Trigger this rule any time a user has a qualifying event: Select this option to trigger this rule any time an event meets the set criteria.

    8. Enable Detection Rule: Select this check box to enable this rule when it is created. Detection rules must be enabled to add events to users’ timelines and be used for real-time coaching campaigns.

  4. Click Create Rule.

Detection Rule Operators

You can use the following operators when creating a detection rule criterion.

Operator Description
Is This operator checks if the field and value match. You can enter only one value when using this operator.
Is Not This operator checks if the field and value do not match. You can enter only one value when using this operator.
Contains This operator checks if the field contains the value. You can enter only one value when using this operator.
Does Not Contain This operator checks if the field does not contain the value. You can enter only one value when using this operator.
Starts With This operator checks if the field starts with the value. You can enter only one value when using this operator.
Ends With This operator checks if the field ends with the value. You can enter only one value when using this operator.
Starts with Any Of This operator checks if the field starts with any of the values.
Ends with Any Of This operator checks if the field ends with any of the values.
Contains Any Of This operator checks if the field contains any of the values.
Contains None Of This operator checks if the field contains none of the values.
Is Any Of This operator checks if the field matches any of the values.
Is None Of This operator checks if the field does not match any of the values.

Managing and Editing Detection Rules

To manage and edit your detection rules, navigate to SecurityCoach > Detection Rules.

To learn more about the options on the Detection Rules subtab, see below:

  1. Status: Click this drop-down menu to filter detection rules by status. You can select All, Active, or Inactive.
  2. Type: Click this drop-down menu to filter detection rules by type. You can select All, Custom, or System.
  3. Vendors: Click this drop-down menu to filter detection rules by vendor.
  4. Category: Click this drop-down menu to filter detection rules by category.
  5. Search: Enter keywords in this field to search for a specific detection rule.
  6. + Create Detection Rule: Click this button to create a new detection rule.
  7. Table: This table includes a list of your detection rules. For each detection rule, you can see the Name, Rule Description, Type, Vendor, Category, and Modified Date.
  8. Toggle: Use this toggle to enable or disable a detection rule. If the toggle is turned off, the detection rule is disabled. If the toggle is turned on, the detection rule is enabled.
  9. Plus icon: Click this icon to create a real-time coaching campaign for a detection rule. When you click this icon, you will be taken to the Create New Real-Time Coaching Campaign page. For more information about real-time coaching campaigns, see our Creating and Managing Real-Time Coaching Campaigns article.
  10. Pencil icon: Click this icon to open the Edit Detection Rule page. On this page, you can edit a custom detection rule as needed. Options that are grayed out cannot be changed. Then, click the Save button at the bottom-left corner of the page to save your changes.
    Note:If the detection rule was cloned from a system detection rule, you can also click the Restore Default Settings button to return the rule to its default settings.
  11. Trashcan icon: Click this icon to delete a custom detection rule.
  12. Eye icon: Click this icon to view a system detection rule. When you click this icon, you will be taken to the View Detection Rule page where you can view the details for the system detection rule.
  13. Clone icon: Click this icon to clone a system detection rule. When you click this icon, you will be taken to the Clone Detection Rule page. On this page, you can make changes to the rule and save it as a custom rule.

Example Detection Rule

See the screenshot below for an example of a detection rule. In this example, the following criteria were added to the detection rule:

  • Threat Category is Malicious PDF.
  • Threat Category is Malicious Office Document.

This detection rule will be triggered when either criterion is met. This means that a user would need to either have a malicious PDF file or malicious Office document on their device to trigger this rule.

Can't find what you're looking for?

Contact Support