Detection and response tab: Behavioral detection policy

After you create a detection policy, open the policy and configure the settings in the

Detection and Response

tab.

On the

Detection and Response

tab, on the left side of the screen, you can apply filters to help find the detection rules that you are looking for:

Alerts (On or Off): Filter detection rules by whether detection alerts are enabled.
Observations (On or Off): Filter detection rules by whether observations are enabled.
Notifications (On or Off): Filter detection rules by whether notifications are enabled.
Automated response action: Filter detection rules by the automated response action.
Platform: Filter detection rules by operating system platform.

On the center of the screen, the detection rules are displayed as cards for specific MITRE techniques aligned from the MITRE framework. Each card includes the rule name, MITRE technique ID, the number of detections rules included at each severity level, and icons that indicate if alerts, observations, notifications and automated responses are configured. Bulk edit options appear above the cards if you use the checkboxes to select them.

You can click on a detection rule card to open a side panel on the right side. The side panel displays a detailed description of the rule as well as controls to enable alerts, observations, notifications, and automated responses.

If you want to configure automated responses for a detection rule, you must specify the minimum severity level for the response to apply. In this example, the default minimum severity is set to

High

because this class of rules are the most precise and the easiest to tune. This ensures minimal impact on business continuity due to the lower false positive rate average. Next, add one or more remediation actions from list of available actions. The

CylanceOPTICS

agent and BDE will take all applicable response actions that are configured based on the context of the detection.