Behavioral Detection Rule Groups

  • EF
  • n
 Prev Next

The Endpoint Detection and Response add-on is required to use Behavioral Detection Rule Groups.

What are Behavioral Detection Rules?

Behavioral Detection Rules give you fine-tuned control over your EDR behavioral detections. Think of it as a way to customize which security rules are watching your environment; you can increase protection levels when needed or tone them down to reduce alert noise.

Understanding Detection Levels

Out of the box, behavioral detections run on Cautious mode, which means only the most serious threats trigger alerts. This keeps false alarms to a minimum while catching the worst actors. You can ramp up security by choosing more comprehensive levels:

  • Cautious - Focuses on clear-cut malicious activity with very few false positives.

  • Moderate - Casts a wider net to catch more potential threats while staying manageable.

  • Aggressive - Employs comprehensive detection coverage with maximum sensitivity (expect more alerts).

Rule Groups

Behavioral detections are split into eight focused categories, each watching for different types of suspicious behavior. You can set each group to Cautious, Moderate, or Aggressive independently.

  • Discovery and Information Gathering: Detects suspiciously probing commands, such as those identifying security software installations or virtual machines.

  • Exploit Detection: Detects exploitation attempts of publicly known or proprietarily discovered vulnerabilities.

  • Obfuscation and Encryption Detection: Detects the use of encryption and obfuscation to conceal data or commands.

  • Persistence Mechanisms: Monitors the creation or modification of launch agents and daemons intended to establish persistence on a macOS host.

  • Privilege Escalation Detection: Monitors for signs that someone's trying to gain higher-level access, like messing with file permissions or accessing sensitive configuration files.

  • Script and Command Usage Monitoring: Identifies the execution of suspicious commands and scripts.

  • Security Tool and System Configuration Alterations: Detects altering or disabling of security configurations and tools designed to protect macOS, such as Gatekeeper, Transparency Consent and Control (TCC), and endpoint security products.

  • User Account Alterations: Detects the creation or manipulation of user accounts intended to remain hidden from normal user interactions or system administration.

Configuring Rule Groups

  1. Open the Threats page in the left-hand navigation.

  2. Select the Rules tab.

  3. To set rules globally, select the Rule detection level.

  4. To set rules based on rule group the Set detection level per rule group.

  5. Under each rule group type, select your desired detection level.

  6. When finished, Save detection settings.

Handling Rule Exceptions

Rule exceptions are only available for rules that do not target highly malicious behavior. Critical security rules cannot be individually disabled.

You may occasionally need to disable a specific rule that generates excessive alerts without affecting the entire rule group's settings. To do this:

  1. Navigate to the Detections tab on the Threats page.

  2. Select the detection(s) generating unwanted alerts using the checkbox to the left of the threat.

  3. Select the ellipses in the lower left hand corner.

  4. Choose Disable suspicious rules.

Managing Your Exceptions

Any rules you disable automatically show up in the Rule Exceptions list under the Rules tab in your EDR configuration.

From there, you can:

  • See all the rules you've turned off

  • Turn rules back on if circumstances change

  • Keep track of what's not being monitored.