Create a detection rule set
Create and apply a detection rule set to configure the types of events that you want
CylanceOPTICSto detect and how you want
CylanceOPTICSto respond to those events. A default detection rule set is available to help you test and evaluate how you want to use detection rules. In the default rule set, all detection rules are turned on and automated responses and user notifications are turned off.
When you create a detection rule set, it is a best practice initially to turn on the desired detection rules without response actions and desktop notifications. After you evaluate the detections data, you can configure the appropriate response actions and user notifications for each rule.
- To view a rule set, you require an administrator role with the View ruleset and Edit ruleset permissions from the Endpoint Detection Response section.
- For more information about the optionalCylanceOPTICSrules that you can import for your organization’s environment, see KB76816.
- In the management console, on the menu bar, clickCylanceOPTICS > Configurations.
- On theRule Setstab, clickCreate New.
- Type a name and description.
- If you want theCylanceOPTICSagent to display a message when a rule is triggered on the device, in theDetection Notification Messagefield, type the message.
- Review the available rules. For each rule, you can hover over the information icon to view a description. ClickONto enable an entire rule group or a specific rule.
- If you want to display a desktop notification when a rule is trigged on a device, select theDisplay Detection Notification on Devicecheck box for the rule.
- If you want theCylanceOPTICSagent to execute a response action when a rule is triggered on a device, in theResponsedrop-down list for the rule, select one or more actions. You can hover over the information icon for each action to view a description.
- In theDevice Policydrop-down list, click one or more device policies that you want to assign the detection rule set to.You can also assign a detection rule set to a device policy when you create or change a device policy.
- ClickConfirm. Review the summary then clickConfirmagain.
After you assign the detection rule set to a device policy, you can view and manage detections. You can also do any of the following optional tasks: