I have to say that so far I love the possibility to create our own Custom Detection Rules with the same capabilities as provided by the ABA engine!
It has some great advantages over the classic Custom Pattern Detection rules and we have been able to implement some enhancement thanks to this.
However, for some reason I seem to be unable to locate these Custom Detection Rules for later editing and tweaking.
According to the docs, Custom Detection Rules | InsightIDR Documentation it should be possible to find but we can’t find it in our environment.
Just to be sure, is it supposed to be listed in the " Attacker Behavior Analytics" pane from the Detection Rules page right? Not that I found it elsewhere either though.
Thanks in advance
Hey Richard. Glad to hear that you’re enjoying the new Custom Detection Rules experience! You should be able to find your previously created Custom Detection Rules on the Attacker Behavior Analytics pane by using the first set of filters to “Show Only Custom Rules”.
That filter just returns 0 hits unfortunately.
I do know that rule exists because we have gotten investigations opened.
Ahh, okay, is there any chance that the rules you are looking for are IDS based? In order to find IDS based Custom Detection Rules you’ll have to use the filter above and change the “Type” filter to “Network Sensor Rules”. Sorry about that, we are actively looking at improving how we can improve that and the filtering experience as a whole
YES! There we have it! Awesome!
Thanks for pointing that out!