Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Administration
  4. Cylance Endpoint Security Administration Guide
  5. Using CylanceOPTICS to detect and respond to events
  6. Create a detection rule set

Create a detection rule set

Create and apply a detection rule set to configure the types of events that you want
CylanceOPTICS
 to detect and how you want
CylanceOPTICS
 to respond to those events. A default detection rule set is available to help you test and evaluate how you want to use detection rules. In the default rule set, all detection rules are turned on and automated responses and user notifications are turned off.
When you create a detection rule set, it is a best practice initially to turn on the desired detection rules without response actions and desktop notifications. After you evaluate the detections data, you can configure the appropriate response actions and user notifications for each rule.
  • To view a rule set, you require an administrator role with the View ruleset and Edit ruleset permissions from the Endpoint Detection Response section.
  • For more information about the optional
    CylanceOPTICS
     rules that you can import for your organization’s environment, see KB76816.
  1. In the management console, on the menu bar, click
    CylanceOPTICS > Configurations
    .
  2. On the
    Rule Sets
     tab, click
    Create New
    .
  3. Type a name and description.
  4. If you want the
    CylanceOPTICS
     agent to display a message when a rule is triggered on the device, in the
    Detection Notification Message
     field, type the message.
  5. Review the available rules. For each rule, you can hover over the information icon to view a description. Click
    ON
     to enable an entire rule group or a specific rule.
  6. If you want to display a desktop notification when a rule is trigged on a device, select the
    Display Detection Notification on Device
     check box for the rule.
  7. If you want the
    CylanceOPTICS
     agent to execute a response action when a rule is triggered on a device, in the
    Response
     drop-down list for the rule, select one or more actions. You can hover over the information icon for each action to view a description.
  8. In the
    Device Policy
     drop-down list, click one or more device policies that you want to assign the detection rule set to.
    You can also assign a detection rule set to a device policy when you create or change a device policy.
  9. Click
    Confirm
    . Review the summary then click
    Confirm
     again.
After you assign the detection rule set to a device policy, you can view and manage detections. You can also do any of the following optional tasks: