Overview
Out-of-the-box detection rules help you cover the majority of threat scenarios, but you can also create custom detection rules for your specific use cases. See Create Rule for instructions on how to create a custom rule.
Rule types
You can create the following types of custom detection rules:
- Real-time rule: Continuously monitors and analyzes incoming logs.
- Scheduled rule: Runs at pre-scheduled intervals to analyze log data.
- Historical job: Backtest detections by running detections against historical logs.
Detection methods
The following detection methods are available when you create a custom detection rule or historical job:
- Threshold: Detects when events exceed a user-defined threshold.
- New value: Detects when an attributes changes to a brand new value.
- Anomaly: Detects when a behavior deviates from its historical baseline.
- Content anomaly: Detects when an event’s content is an anomaly compared to the historical baseline
- Impossible travel: Detects if impossible speed is detected in user activity logs.
- Third party: Maps third-party security logs to signals, setting the severity based on log attributes.
- Signal correlation: Combines multiple signals together to generate a new signal so you can alert on more complex use cases and reduce alert fatigue.
Filter logs based on Reference Tables
Reference Tables allow you to combine metadata with logs, providing more information to resolve application issues. When you define a query for a rule, you can add a query filter based on a Reference Table to perform lookup queries. For more information on creating and managing this feature, see the Reference Tables guide.
In the following example, a Reference Table containing product information is used to filter and enrich logs:
Unit testing
Use unit testing to test your rules against sample logs and make sure the detection rule is working as expected. This can be helpful when you are creating a detection rule for an event that hasn’t happened yet, so you don’t have actual logs for the event. For example: You have logs with a login_attempt
field and want to detect logs with login_attempt:failed
, but you only have logs with login_attempt:success
. To test the rule, you can construct a sample log by copying a log with login_attempt:success
and changing the login_attempt
field to failed
.
Further Reading
Additional helpful documentation, links, and articles: