Detection rules settings page allows to view and modify detection rules.
- View all detection rules and explore how they work
- Disable/Enable detection rules
- Define trusted exclusions to better fit your environment
- Exclude by command name, command line arguments, EUID and more
- Apply the exclusion to specific host, group of hosts or the entire environment
- Exclusions will prevent future alerts and will automatically close matching open alerts
You can view the detection rules which Protect is using to trigger alerts in your environment. The detection rules can be found in the settings page (top right corner) under the "Detection Rules" tab.
In this page you can:
- View all detection rules and explore how they work
- Disable/Enable different detection rules
- Create exclusions for rules to create a more refined detection experience for your environment.
- Exclusions can be applied on the entire environment, or only to specific hosts
- Exclusions can be set on various parts of the execution such as command name, command args, and euid.
- Once an exclusion is created, no further alerts which match the exclusion condition will be open, and open alerts which match the exclusion condition will close.
Example:
Here you can see the "Netcat Code Execution" rule which detects netcat command execution that could be used to create a reverse shell.
In this example an exclusion was added to prevent alerts in case the nc
is used the execute echo
which can be considered harmless in some environments.