Quick Links

Managing detection rules in bulk

Overview

MSP administrators who have access to MSP Portal can view and manage all detection rules and set global policy for those rules across current and future sub-accounts they are administrators for. 

Caution: Using bulk actions to disable detection rules includes the risk of users incorrectly disabling necessary rules for your accounts. Ensure you understand the level of risk associated with not using some rules, especially Suspects and Threats, and use caution so that you do not accidentally disable valuable alerts that can help you prevent an incident.

Common tasks you can accomplish from the Bulk Actions page in the MSP Portal include the following:

  • Reviewing all of Blumira's available detection rules, including the most recently created rules
  • Verifying which rules are supported or un-supported for your sub-accounts
  • Enabling default-disabled rules on one or many accounts from one page
  • Customizing the default state of rules, such as when you know you want a rule to deploy to future customers in an enabled state

Screenshot 2024-10-16 at 1.50.39 PM.png

Viewing all existing Blumira detection rules

Blumira's Incident Detection Engineers continuously create and deploy new detection rules for the expanding list of log integrations. They also update existing rules by improving the logic or conditions, adding more context or supporting details in Analysis, or updating the default state if the rules are too noisy and unlikely to surface threats. Many Operational detection rules, for instance, are usually deployed as default-disabled.

Some MSPs have also requested customization to global detection rules and so have custom detection rules deployed to their accounts. These rules are managed in the same way as global rules in the Bulk Actions page in the app.

To see the full list of detection rules available for your accounts, do the following:

  1. Navigate to MSP Portal > Bulk Actions.
  2. Browse the table of detection rules and use the column sorting or pagination controls at the top of the table to change the view.
  3. To narrow the table's results, click Search preset and then click one of the filters.

Screenshot 2024-10-07 at 12.24.11 PM.png

Enabling rules for all supported accounts

Requirement: You must be an administrator of a sub-account to make changes to the current or default settings of rules in the account.

To bulk-enable all supported rules that are currently disabled, do the following:

  1. To show only disabled rules, click Search preset and then click Disabled for Account.
  2. (Optional) To see the most recently created rules at the top, click the Created column heading to sort the column by creation date.
  3. To select many rules at once, click the check box in the header row of the table, which selects all rows on the page.
  4. (Optional) In the control bar that appears, click Select all to select all rules on all pages.
    Screenshot 2024-10-16 at 1.22.34 PM.png
  5. In the control bar, click Enable.
  6. In the confirmation window, click Enable.
    Screenshot 2024-10-16 at 1.24.10 PM.png
    Note: The totals shown in the confirmation window reflect how many rules are being enabled on the supported accounts where they were previously disabled.

Updating a single rule's settings in multiple accounts

You can configure which specific accounts have a rule enabled or disabled. This is ideal when you have a custom rule that you want to share with other sub-accounts, or when you want to carefully monitor which accounts are being affected by your modifications.

To edit a single rule's settings in multiple accounts, do the following: 

  1. In the Detection Rules table, search for the rule you want to edit.
  2. Click the name of the rule.
  3. In the options menu, click Rule Details.
    Screenshot 2024-10-16 at 2.10.43 PM.png
  4. (Optional) Customize the Default state of the rule then click Save changes.

    Screenshot 2024-10-16 at 3.33.07 PM.png

  5. In the Detection Rule details window, click Accounts.
  6. Review the Supported accounts in the list.

    Screenshot 2024-10-16 at 1.53.46 PM.png

  7. Click the check box next to the accounts you want to edit.
  8. In the control bar that appears, click Disable.
  9. In the confirmation window, click Disable.
    Screenshot 2024-10-16 at 1.58.19 PM.png

Disabling one or more rules in all accounts

Caution: Actions performed on the Detection Rules table impact all of your managed accounts. Use caution when selecting rules or accounts or perform more selective actions using the procedures above in an individual rule's window.

To bulk-disable specific rules that you no longer want active on your accounts, do the following:

  1. Click Search preset and then click Enabled for Account.
  2. Click the check box next to the rule.
  3. In the control bar that appears, click Disable.
  4. In the confirmation window, click Disable.