Overview
MSP administrators who have access to MSP Portal can view and manage all detection rules and set global policy for those rules across current and future sub-accounts they are administrators for.
Common tasks you can accomplish from the Bulk Actions page in the MSP Portal include the following:
- Reviewing all of Blumira's available detection rules, including the most recently created rules
- Verifying which rules are supported or un-supported for your sub-accounts
- Enabling default-disabled rules on one or many accounts from one page
- Customizing the default state of rules, such as when you know you want a rule to deploy to future customers in an enabled state
Viewing all existing Blumira detection rules
Blumira's Incident Detection Engineers continuously create and deploy new detection rules for the expanding list of log integrations. They also update existing rules by improving the logic or conditions, adding more context or supporting details in Analysis, or updating the default state if the rules are too noisy and unlikely to surface threats. Many Operational detection rules, for instance, are usually deployed as default-disabled.
Some MSPs have also requested customization to global detection rules and so have custom detection rules deployed to their accounts. These rules are managed in the same way as global rules in the Bulk Actions page in the app.
To see the full list of detection rules available for your accounts, do the following:
- Navigate to MSP Portal > Bulk Actions.
- Browse the table of detection rules and use the column sorting or pagination controls at the top of the table to change the view.
- To narrow the table's results, click Search preset and then click one of the filters.
Enabling rules for all supported accounts
Requirement: You must be an administrator of a sub-account to make changes to the current or default settings of rules in the account.
To bulk-enable all supported rules that are currently disabled, do the following:
- To show only disabled rules, click Search preset and then click Disabled for Account.
- (Optional) To see the most recently created rules at the top, click the Created column heading to sort the column by creation date.
- To select many rules at once, click the check box in the header row of the table, which selects all rows on the page.
- (Optional) In the control bar that appears, click Select all to select all rules on all pages.
- In the control bar, click Enable.
- In the confirmation window, click Enable.
Note: The totals shown in the confirmation window reflect how many rules are being enabled on the supported accounts where they were previously disabled.
Updating a single rule's settings in multiple accounts
You can configure which specific accounts have a rule enabled or disabled. This is ideal when you have a custom rule that you want to share with other sub-accounts, or when you want to carefully monitor which accounts are being affected by your modifications.
To edit a single rule's settings in multiple accounts, do the following:
- In the Detection Rules table, search for the rule you want to edit.
- Click the name of the rule.
- In the options menu, click Rule Details.
- (Optional) Customize the Default state of the rule then click Save changes.
- In the Detection Rule details window, click Accounts.
- Review the Supported accounts in the list.
- Click the check box next to the accounts you want to edit.
- In the control bar that appears, click Disable.
- In the confirmation window, click Disable.
Disabling one or more rules in all accounts
To bulk-disable specific rules that you no longer want active on your accounts, do the following:
- Click Search preset and then click Enabled for Account.
- Click the check box next to the rule.
- In the control bar that appears, click Disable.
- In the confirmation window, click Disable.