Rules Overview
  • 24 Dec 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Rules Overview

  • Dark
    Light
  • PDF

Article Summary

The Findings Center includes two types of Findings Rules:

  • Custom rules - Rule type = System Rule. Integrated rules as well as rules that you create on any query and entity type - both assets and system events (adapter fetches, activity logs), as well as existing system notifications (CPU, memory, and more).
  • Behavior Analytics (BA) rules - Predefined rules and algorithms integrated into Axonius. You cannot create new BA rules.

Alerts are triggered based on these rules.

From the Rules Manager tab in the Findings center, you can do the following:

  • Customize new Custom rules.
  • Create new Custom rules based on Axonius predefined rule templates.
  • Update the configuration of a BA rule (severity and mute conditions).
  • Activate/deactivate rules.

You can configure Custom rules to trigger alerts based on complex conditions, including:

  • Single query criteria thresholds - Checks if a query returns a number of assets more or less than a specified number. For example, checks for more/less than Y adapter connections.
  • Query comparison - Compares the number of assets returned by two different queries. Queries can be of two different asset types, thus supporting cross-entity comparisons. Creates an alert if Query A returns X% more assets than Query B.
  • Timeline comparison - Compares simple and multiple queries over time. Creates an alert if Query A returns X% more assets today than it did yesterday.

These condition types cover all use cases and can be adapted to different vendors and asset types.

You can configure how often to run a Custom rule to check for alerts, as well as how often to mute notifications on alerts to ensure optimal signal-to-noise ratio in your system. For example, you can configure a Custom rule to create an alert if Tanium coverage suddenly drops. However, as you know that it usually takes one or two weeks to fix such an issue, you can set the muting conditions to notify you of the alert only once in two weeks, thus reducing noise in the system.

You can also configure a Custom rule to send notifications on alerts via external communication mediums (for example, email or Slack) using enforcement actions from the Notify category.

Note:

It is important to configure rules that result in the minimum possible false positive alerts.

From the Rules Manager page, you can do the following:


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.