Incident rules

Incident rules are defined criteria that determine what actions are put in place when an incident is flagged. Administrators can configure criteria that, if met, execute one of three different rule types. These rule types are put in place by the administrator to permit/prohibit specified behavior. Active Defense comes with some pre-configured rules that are used for threat detection. Each rule type serves a different purpose that can help the administrator provide their BrickStor SP guidance to handle certain behavior patterns.

The rule types are:

  • Ignore - Prevent incidents from being flagged based on a given criterion.

  • Incident - Cause an incident to be flagged based on a given criterion.

  • Fallthrough - Add actions to an incident based on a given criterion.

Default rules on the BrickStor SP cannot be removed or edited.

Ignore rules

It’s possible that a user needs to interact with a large quantity of files at a time. Adding an Ignore rule to prevent the user from being blocked can save time for the administrator and user.

The following steps demonstrate creating an ignore rule for user John Doe.

  1. Navigate to the Incident Rules page.

  2. Click Configure.

  3. Click + Add Rule.

  4. Click Configure.

  5. Click + Add Rule.

  6. Select Ignore.

  7. Click Next.

  8. Click the Behavior dropdown menu and select Excessive Access/Excessive deletes.

  9. Click the magnifying glass (Magnifying Glass) icon next to username and search for John Doe.

  10. Select John Doe and click Select.

  11. Click Create Ignore Rule.

  12. Click Save, located at the top of the page.

  13. Click Yes to confirm changes.

Editing rules

Custom rules can be edited to better fit a given situation. In Ignore rules, a rule was made to permanently exclude John Doe from flagging Excessive Access/deletes. However, there are scenarios where John Doe might only need this ignore rule in place temporarily. The following steps provide an example of how to edit the expiration an existing rule:

  1. Navigate to the Incident Rules page.

  2. Click Configure.

  3. Click the action cog (Gear) next to the desired rule.

  4. Select Edit.

  5. Click the calender icon next to Expire Rule.

  6. Select a time.

  7. Click Apply.

  8. Click Save, located at the top of the page.

  9. Click Yes to confirm changes.

Removing rules

The administrator can remove a rule that is no longer needed on the appliance. In Editing rules, a rule was edited to temporarily exclude John Doe from flagging Excessive Access/deletes. However, there are scenarios where John Doe no longer needs this rule before the expiration period is reached. The following steps provide an example of how to remove an existing rule:

  1. Navigate to the Incident Rules page.

  2. Click Configure.

  3. Click the action cog (Gear) next to the desired rule.

  4. Select Remove.

  5. Click Remove Rule

  6. Click Save, located at the top of the page.

  7. Click Yes to confirm changes.