Alert Profiler
In the Threat Command module, threats that do not pass internal Rapid7 algorithms are not elevated to alerts. This ensures that your company receives alerts that are tailored to your business. The decision as to whether a threat is relevant to a user is very case-dependent, with each business having a different threat landscape and business need.
The one-size-fits-all approach doesn’t do the best job possible; oversensitivity can lead to excess alerts, and not enough sensitivity can lead to missed alerts.
The Threat Command Alert Profiler feature solves this problem, enabling users to fine-tune which threats are elevated to alerts and which threats are not.
This advanced feature is available for users with a subscription to both Threat Command Threat Command and the Automation modules. To configure the Alert Profiler, you must have administrative access to Threat Command.
How the Alert Profiler works
Using the Alert Profiler, you build custom rules to define your own alerting use cases or scenarios. With those rules, you can:
- Eliminate alerts that are less relevant to your need.
- Describe specific conditions that should trigger alerts, in case they are not detected by the default Rapid7 algorithm.
You can use the Alert Profiler for the following threat scenarios:
- Phishing - Suspected phishing domains, phishing websites, or Phishing Watch threats
- Exploitable Data - Open ports, Email security validation, Certificate issues, SSL issues, Exposed services, and Vulnerabilities.
- Public Repositories - Secret key or asset mentions in public repositories.
- Brand Security - Suspicious Twitter profiles or references in tweets.
- Data Leakage - Publicly exposed company documents.
- Attack Indication - Credit cards, botnet credentials, or company-related products for sale on the dark web.
To use the Alert Profiler, use the Automation > Alert Profiler page.
When you open the Alert Profiler, select a threat scenario. The current rules are displayed, together with their status.
The following figure illustrates the initial state, where the Suspected Phishing Domain threat scenario has two default rules enabled:
These out-of-the-box rules exactly match the current situation. The Alert Profiler does not affect how alerts are created until you make modifications to the set of rules. For example, in the phishing scenario, the default Suspected Phishing Domain detection rule is enabled, which works exactly as the Rapid7 algorithm works. (The added Suspected Phishing Domain with MX record rule is a subset of the previous rule, so its presence has no effect on the way alerts are created, as long as they are both enabled.)
You can see the rule details by clicking them.
You can modify current rules or add new rules to produce the following results:
- To be more specific about how alerts are created, create rules with additional conditions than the default rule. It is recommended to modify the default rule using the ALL operator to add conditions. This gives an excellent starting point.
- To be less specific about how in the alerts are created, create rules with less or other conditions than the default rule. You can add conditions to the default rule with the ANY operator or you can create new rules.
For more information on how to create rules, see Adding alert profiler rules.
As part of the rule creation, you can add tags to matched alerts. This can help further the identification and grouping of similar alerts. You can also define the severity of the created alert.
After a new rule is added, you can approximate how that rule matches current threats, so you can determine if the rule fits your needs. For more information, see Rule efficacy.
If a threat matches more than one enabled rule, one alert (only) is created with the following characteristics:
- The alert is assigned the highest severity of the matched alerts.
- The alert has the tags of all matched alerts.
Some alerts can be aggregated, combined into easier-to-use chunks. For more information, see Aggregate Alerts.
Adding Alert Profiler rules
Create rules to fine-tune those threats that are elevated to alerts that are relevant to your use case.
To create Alert Profiler rules:
- From the Automation > Alert Profiler rule list area, click the + sign.
A new rule window is displayed. - Type a name and description (optional) for the rule.
- Use conditions to create rules.
For more information about the rule creator, see The rule creator.
The conditions that you can use to create rules are described in each scenario's rule conditions topic. - Set the severity to apply to an alert (if it matches).
- (Optional) You can add tags to an alert (if it matches):
- Click the + sign.
- In the field that opens, type the name of an existing (or new) tag to be applied, then press Enter.
- You can repeat this for additional tags.
- Click Save changes.
New rules are created in a disabled state. That way, you can determine their efficacy before enabling them. The Match Count column shows how the new rule would impact threats already in the system, though in reality, nothing is being done to those alerts. This process can take several minutes before data appears. Use this information to estimate how the new rule might impact new threats. Decide if the rule you created should be enabled, edited, or deleted. For more information, see . - To enable the new rule, select the enable rule slider.
After a rule is enabled, the Match Count column restarts from zero, and then shows how many actual new threats were elevated to alerts due to each rule.
Other rule activities
You can use the toolbar to delete, duplicate, and disable rules.
To perform other rule activities:
- Select rules.
- From the toolbar, click an icon to delete, duplicate, or enable/disable the selected rules.
If you disable (or delete) all rules in a scenario, then this scenario will no longer create any alerts.