Managing rulesets

This article describes the features available for managing Vectra Match Rulesets in the Vectra UI.

Introduction

Customers can manage rulesets directly in the Vectra UI. Vectra recommends using the UI to modify rule thresholds, rather than editing rule files directly. This ensures your changes are preserved and automatically applied even as new ruleset updates are released. Rule modifications made through the UI are automatically layered on top of the latest ruleset file, so you no longer need to reapply them manually.

Frequently Asked Questions (FAQ)

What permission is required in my role to be able to update update rulesets in the Vectra UI?

A new permission called Vectra Match Policy is required in the Edit category in order to edit.
There is a corresponding View permission for Vectra Match Policy that allows viewing rulset modifications.

Are there any guidelines for rule IDs when uploading a ruleset?

Customer created rules should have IDs below 9,000,000.
ET rules and the Vectra Match Curated Ruleset use IDs in the 1,000,000 to 2,999,999 range.
Rule IDs above 9,000,000 are reserved for Vectra use.
Customers must not duplicate rule IDs that are assigned to a Sensor, since Suricate will choose an arbitrary rule of the duplicates to use.

Can I update and re-upload the ruleset file without having to create the same rule modifications again?

Yes. Rule modifications will be present even if the file is removed and updated. This allows updates to the ruleset without having to reconfigured modifications again.

What rulesets can be modified?

Any uploaded and assigned ruleset can be modified.

What happens if modifications are in conflict of each other?

If a modification is attempted that conflicts with an existing modification the pop up below will appear. You will be shown why the rules are in conflict and given a choice on whether you want to keep the existing rule or overwrite the rule with the new change.

How many rule modifications can I create?

There is not a limit to the number of rule modifications you can make.

How are rule modifications matched to specific rules?

When searching for rules to modify, you can search by words in the rule name or by rule ID.
Regardless of how you found the rule, modifications are matched against rule IDs.

Creating a Rule Modification

Navigate to Configuration → Coverage > Vectra Match > Ruleset Modifications section to begin tuning rulesets.
To create a modification select: + Add Rule Modification.
- Some example rule modifications are in the screenshot below.

A box will appear where you can search for a rule ID or word in the rule:

After choosing the rule to modify, you can pick different modification actions and add optional notes:

You can modify any rules from uploaded rulesets. For modifying the Vectra-curated Ruleset, rule names and sig IDs can be found within the ruleset.

Allowed Modifications

Disable rules - Allows you to disable rules that are enabled by default in the Vectra-curated Ruleset or a previously uploaded ruleset.
Enable rules - Allows you to enable rules that were disabled by default in the Vectra-curated Ruleset or a previously uploaded ruleset.
Modify rule thresholds - Allows you to modify thresholds and limits of enabled rules.
- Threshold - Sets a minimum number of rule matches (Count) within a given time window (Seconds) that must occur before an alert is triggered. This is useful to reduce noise from sporadic activity.
- Limit - Sets a maximum number (Count) of alerts generated within a given time window (Seconds). This is useful to prevent excessive alerting from noisy detections.
- Both - Applies both threshold and limit. Set a minimum threshold of rule matches before an alert is generated (Count) and limit the number of alerts that can be generated during that time period to 1.
- Track By - Directs the Vectra Match engine how to track the count of events.
  - Source - Will count the number of events generated by the Source IP.
  - Destination - Will track the number events generated by the Destination.
  - Both - Will track the number of events by the Source/Destination combination.
Suppress rules:
- Allows you to suppress the publishing of Vectra Match alerts for a given signature. A user may want to suppress a signature rather than disable it if the signature is referenced by another signature through the use of Flowbits, and thus must be enabled, but where the user doesn't want to receive alerts for it.
- Optionally, you can specify how this should be tracked: Suppress rules based upon the Source Address, Destination Address, or Either. If left unselected, specified rules will be suppressed across all sources and destinations.

Edit Modifications

To edit modifications click the pencil icon on the rule you would like to alter:

You cannot alter the rule name or signature ID, but you can alter the action and subsequent fields as follows.

Delete Modifications

To delete modifications made, click the trash can icon on the rule you would like to delete. Deleting a modification will revert the rule to what was originally published in the ruleset:

PreviousVectra curated ruleset NextPerformance and rulset optimization

Last updated 8 days ago

Was this helpful?

Good evening

hashtagIntroduction

hashtagFrequently Asked Questions (FAQ)

hashtagCreating a Rule Modification

hashtagAllowed Modifications

hashtagEdit Modifications

hashtagDelete Modifications