Login
    Contents x
    Configure Active Detections
    • 21 Aug 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Configure Active Detections

    • Updated on 21 Aug 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Configure Detection Engine

    Active Detections Service Configuration

    Click on the settings icon at the top right corner of the UI. From the Configuration dropdown menu, select Security


    Active Detection configuration defines how Active Detections, both Detection Streams and Detection Chains, are applied to your security logs. To filter out rules from the extensive rulesets, configure the detection tags and statuses.

    From the left sidebar of the "Security" page, select Active Detections.

    Fill in the detection tags, statuses, and output bucket details in the fields provided.

    • Detect on Statuses (default: stable): rule statuses for which a detection/security finding will be generated. Valid values for enumeration: Stable, Test, Experimental, Deprecated, Unsupported.

    • Detect on Tags (default: "DataBee-Detection-Enable"): rule tag for which a detection/security finding will be generated. Users may add this tag or other custom tag to flag a rule that would normally be ignored due to its status as one that should be enabled.

    • Disable Detect on Tags (default: "DataBee-Detection-Disable"): rule tag for which a detection/security finding will be suppressed. Overrides both Detect on Statuses and Detect on Tags.

    • S3 Output Bucket: if provided, DataBee will write its security findings to this bucket.

    Click on the Test Connectivity button to check if you can access the configured S3 bucket. Click Submit to save. 

    Import Active Detection Streams

    From the left sidebar, select Rules Management.


    Use the "Rules Management" page to add Sigma rules to DataBee. DataBee does not provide rules out-of-the-box. Sigma benefits from a robust community that regularly creates and shares rulesets. There are several rulesets accessible on GitHub. You can easily set up and manage GitHub repositories of Sigma rules directly from this page.

    The page shows all configured repositories. Add a new one by clicking Add GitHub repository. In the pop-up window, provide essential GitHub repository details like item name, URL, and branch name. For authenticator repositories, include the username and password. 

    • Item Name: a user-supplied handle for the repository

    • URL: the URL hosting the Git repository

    • Branch: the branch of the repository to use

    • Username: account name to use to access the repository

    • Password: password associated with the account user name

    Ensure connectivity by clicking Test connectivity before hitting the Submit button.

    Rules_management_github


    Click the Update Now button to force a repository to pull an event. 

    A scheduled job automatically checks repositories for updates at fixed intervals. Customize the update check frequency by setting the Fetch Frequency rate. For daily checks, set the fetch frequency value to 24. Confirm your settings and click Submit.

    During a rule update all existing rules are removed and refreshed with the latest from all enabled GitHub repositories.




    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence