Incident Rules

Incident rules are defined criteria that determine what actions are put in place when an incident is flagged. Administrators can configure criteria that, if met, execute one of three different rule types. These rule types are put in place by the administrator to permit/prohibit specified behavior. Active Defense comes with some pre-configured rules that are used for threat detection.

The rule types are Ignore, Incident, and Fallthrough. Each rule serves a different purpose that can help the administrator provide their BrickStor SP guidance as to handle certain behavior patterns.

  1. Ignore - Prevent incidents from being flagged based on a given criterion.

  2. Incident - Cause an incident to be flagged based on a given criterion.

  3. Fallthrough - Add actions to an incident based on a given criterion.

In order to manage a rule, click Configure. From here, you can:

  • Add Rule - Add a Rule by clicking Add Rule, located on the Toolbar.

    It’s not impossible that a user needs to interact with a large quantity of files at a time. Adding an Ignore rule to prevent the user from being blocked can save time for the administrator and user.

    Example 1. Adding a rule to prevent John Doe from Excessive Access/deletes

    1. Navigate to the Incident Rules page.

    2. Click Configure.

    3. Click + Add Rule.

    4. Select Ignore.

    5. Click the Behavior drop down menu and select Excessive Access/Excessive deletes.

    6. Click the magnifying glass icon next to username and search for John Doe.

    7. Click on John Doe, then on Select.

    8. Click Create Ignore Rule.

    The proceeding rule will prevent John Doe from ever flagging an Excessive Access/deletes incident.

Default Appliance Rules cannot be Removed or Edited.

  • Edit Rule - Edit an existing Rule by clicking on the Cog Wheel located in the Edit column of the Rules List and Select Edit.

    The administrator can edit a custom rule to better fit a given situation. In Example 4, a rule was made to permanently exclude John Doe from flagging Excessive Access/deletes. However, John Doe was given a time frame of one week to finish up the work that was flagging for Excessive Access/deletes. We need to change the rule from permanent to a one week expiration.

    Example 2. Editing John Doe’s rule to add an expiration

    1. Navigate to the Incident Rules page.

    2. Click Configure.

    3. Click the cog wheel icon under the Edit header for John’s rule, and select Edit.

    4. Click the calender icon to the right of Expiration Rule.

    5. Select 1 week and apply changes.

    Once the alloted time has passed, the rule will expire and John will begin flagging for Excessive Access/deletes again.

  • Remove Rule - Edit an existing Rule by clicking on the Cog Wheel located in the Edit column of the Rules List and Select Remove.

    The administrator can remove a rule that is no longer needed on the appliance. In Example 5, John was expected to take one week to finish his tasks, but finished in four days. With no work requiring John to be exempt from possibly flagging for excessive deletes, the administrator can remove the rule instead of waiting for it to expire.

    Removing John Doe’s rule

    1. Navigate to the Incident Rules page.

    2. Click Configure.

    3. Click the cog wheel icon under the Edit header for John’s rule, and select Remove.

    4. Click Remove Rule.

      After the administrator removes the rule, John’s account can once again flag Excessive Access/deletes.

Once the changes have been staged, the User can select Save to confirm the creation of the Rule(s) or Cancel to remove all changes made during the configuration session.