Tuning Rule Queries

In this installment of the Tips and Insights series, Ron Keyston shares how to filter out noise in a Helix environment and focus on alerts that matter using Rule Query Tuning and Alert Volume Management.

Hi I’m Ron Keyston. I’m with the Deployment Integration team here at FireEye and today I’m going to talk to you about Rule Query Tuning and Alert Volume Management. This will allow you to filter out the noise in your environment and focus on the alerts that matter to you. There are a few things we can do within Helix to tune the amount of alerts you get to really focus in on the events that you care most about within your organization. If we go into the rules configuration page and click on any available rule. The first thing you can do is change whether or not that rule generates an alert. If you have an event that you want recorded in the database but you don’t necessarily want it to alert on the dashboard, you can turn off the ability to generate alerts. This will still create an event when that alert occurs, but it will not create an alert on the summary dashboard or in the alerts dashboard. The second thing you can do is to tune the query itself. Let’s consider an example where there is an alert generated when adware is installed on a machine. In certain environments, lets say a university, you may have a large number of users who are downloading things from the Internet on a regular basis they shouldn’t be downloading. You may not necessarily want to be alerted every time this occurs. But if there’s a spike in incidents above and beyond the threshold that you normally expect that’s when you’d want to be alerted about it. So you can come in here and tune this query and instead of the default of alerting every time the event occurs. You can change it to only alert you if it occurs say more than 60 times in a single hour. This allows you to tune any individual query or rule so that it only alerts with the frequency that you desire within your environment. The third change you can make to tune your alert volume is to make a change to the severity of alerts that you receive e-mails for. You can do that by clicking here on the profile button. Going to Helix settings. And then under notifications you can choose to only receive email alerts for critical and high priority alerts for example. And choose not to receive emails for medium and low priority alerts. This allows you to do high level tuning of the alert emails you receive in order to only receive e-mails for the alerts that you care most about. That was rule tuning and alert volume management. Continue to check back with us for more FireEye product tips.

Scroll to Top