Skip to main content
The Endpoint Detection and Response add-on is required to use Behavioral Detection Rule Groups.

About Behavioral Detection Rule Groups

Behavioral Detection Rule Groups provide fine-tuned control over your EDR behavioral detections. This feature allows you to customize which security rules are monitoring your environment, enabling you to increase protection levels when needed or reduce alert noise by adjusting sensitivity settings.

How It Works

Behavioral Detection Rule Groups operate through configurable detection levels that determine the sensitivity of threat monitoring. By default, behavioral detections run on Cautious mode, focusing on the most serious threats while minimizing false positives. You can adjust security levels based on your organization’s risk tolerance and operational requirements.

Understanding Detection Levels

Out of the box, behavioral detections run on Cautious mode, which means only the most serious threats trigger alerts. This keeps false alarms to a minimum while catching the worst actors. You can ramp up security by choosing more comprehensive levels:
  • Cautious: Focuses on clear-cut malicious activity with very few false positives
  • Moderate: Casts a wider net to catch more potential threats while staying manageable
  • Aggressive: Employs comprehensive detection coverage with maximum sensitivity (expect more alerts)

Understanding Rule Groups

Behavioral detections are split into eight focused categories, each watching for different types of suspicious behavior. You can set each group to Cautious, Moderate, or Aggressive independently.
  • Discovery and Information Gathering: Detects suspiciously probing commands, such as those identifying security software installations or virtual machines
  • Exploit Detection: Detects exploitation attempts of publicly known or proprietarily discovered vulnerabilities
  • Obfuscation and Encryption Detection: Detects the use of encryption and obfuscation to conceal data or commands
  • Persistence Mechanisms: Monitors the creation or modification of launch agents and daemons intended to establish persistence on a macOS host
  • Privilege Escalation Detection: Monitors for signs that someone’s trying to gain higher-level access, like messing with file permissions or accessing sensitive configuration files
  • Script and Command Usage Monitoring: Identifies the execution of suspicious commands and scripts
  • Security Tool and System Configuration Alterations: Detects altering or disabling of security configurations and tools designed to protect macOS, such as Gatekeeper, Transparency Consent and Control (TCC), and endpoint security products
  • User Account Alterations: Detects the creation or manipulation of user accounts intended to remain hidden from normal user interactions or system administration

Configuring Rule Groups

1

Navigate to Threats Page

Open the Threats page in the left-hand navigation.
2

Access Rules Tab

Select the Rules tab.
3

Configure Global Settings

To set rules globally, select the Rule detection level.
4

Configure Group Settings

To set rules based on rule group, select Set detection level per rule group.
5

Set Detection Levels

Under each rule group type, select your desired detection level.
6

Save Configuration

When finished, Save detection settings.

Handling Rule Exceptions

Rule exceptions are only available for rules that do not target highly malicious behavior. Critical security rules cannot be individually disabled.
You may occasionally need to disable a specific rule that generates excessive alerts without affecting the entire rule group’s settings. To do this:
1

Navigate to Threats Tab

Navigate to the Threats tab on the Threats page.
2

Select Problematic Detections

Select the detection(s) generating unwanted alerts using the checkbox to the left of the threat.
3

Access Actions Menu

Select the ellipses in the lower left hand corner.
4

Disable Rules

Choose Disable suspicious rules.

Managing Your Exceptions

Any rules you disable automatically show up in the Rule Exceptions list under the Rules tab in your EDR configuration. From there, you can:
  • See all the rules you’ve turned off
  • Turn rules back on if circumstances change
  • Keep track of what’s not being monitored

Considerations

  • Detection Level Balance: Choose detection levels that balance security coverage with manageable alert volumes to avoid alert fatigue
  • Rule Group Customization: Configure each rule group independently based on your organization’s specific security requirements and risk profile
  • Exception Management: Regularly review disabled rules to ensure they remain appropriate and don’t create security gaps
  • Critical Rule Protection: Understand that critical security rules cannot be disabled to maintain essential security coverage
  • Alert Tuning: Use rule exceptions strategically to reduce false positives while maintaining security effectiveness
  • Regular Review: Periodically assess rule group settings and exceptions to ensure they align with current threat landscape and business needs
  • Documentation: Keep records of rule exceptions and their rationale for compliance and audit purposes
  • Testing and Validation: Test rule group changes in a controlled environment before deploying to production
  • Performance Impact: Monitor system performance when adjusting detection levels, as more aggressive settings may impact device performance
  • Team Training: Ensure security teams understand the implications of different detection levels and rule exceptions
  • Incident Response: Consider how rule group settings affect incident response workflows and threat investigation processes
  • Compliance Requirements: Align rule group configurations with regulatory and compliance requirements for your industry