Skip Navigation

Create a detection rule set

Create and apply a detection rule set to configure the types of events that you want
to detect and how you want
to respond to those events. A default detection rule set is available to help you test and evaluate how you want to use detection rules. In the default rule set, all detection rules are turned on and automated responses and user notifications are turned off.
When you create a detection rule set, it is a best practice initially to turn on the desired detection rules without response actions and desktop notifications. After you evaluate the detections data, you can configure the appropriate response actions and user notifications for each rule.
  • To view a rule set, you require an administrator role with the View ruleset and Edit ruleset permissions from the Endpoint Detection Response section.
  • For more information about the optional
    rules that you can import for your organization’s environment, see KB76816.
  1. In the management console, on the menu bar, click
    CylanceOPTICS > Configurations
  2. On the
    Rule Sets
    tab, click
    Create New
  3. Type a name and description.
  4. If you want the
    agent to display a message when a rule is triggered on the device, in the
    Detection Notification Message
    field, type the message.
  5. Review the available rules. For each rule, you can hover over the information icon to view a description. Click
    to enable an entire rule group or a specific rule.
  6. If you want to display a desktop notification when a rule is trigged on a device, select the
    Display Detection Notification on Device
    check box for the rule.
  7. If you want the
    agent to execute a response action when a rule is triggered on a device, in the
    drop-down list for the rule, select one or more actions. You can hover over the information icon for each action to view a description.
  8. In the
    Device Policy
    drop-down list, click one or more device policies that you want to assign the detection rule set to.
    You can also assign a detection rule set to a device policy when you create or change a device policy.
  9. Click
    . Review the summary then click
After you assign the detection rule set to a device policy, you can view and manage detections. You can also do any of the following optional tasks: