Behavioral detection policies

Screenshot of the Behavioral detection engine screen, displaying a list of BDE policies configured for the tenant.

In the

Cylance

console, behavioral detection policies are in the CylanceOPTICS
> Behavioral Detection Engine
menu, in the Behavioral Detection Policies
tab.

The BDE policy defines which MITRE detections to apply to devices, which severity level to alert on, and when to apply automated responses. All tenants have a default policy configured which has all the MITRE detections with Alerts and Observations features enabled. The default policy is configured with an alert threshold of medium and above.

Alert thresholding is a new concept introduced with BDE. It allows easy suppression of alerts that are below a certain level of severity. This means that only alerts at or above the specified threshold level display in the Alerts
screen and through external interfaces like syslog or the public API. To ensure that there is no loss in information fidelity, the BDE includes support for observations. When Observations
are enabled, the BDE instructs the

CylanceOPTICS

agent (version 3.3 or later) to watch for all behaviors that are below the alert threshold, collect any data associated with it, collect any correlated elements along the attack chain, and add the appropriate MITRE TTP tagging to that collected data. Using Alert Thresholds and Observations, the BDE can enact policies with a much lower level of noise without missing important data that may be hiding in low efficacy signal.