Alert Profiler rules determine whether threats or vulnerabilities are elevated to alerts. The information displayed in the Decision Parameters tab helps to understand why an alert was triggered or not.
This tab is available for the following alert types:
- Phishing Domains
- Exposed Services
- Bot Data for Sale
- Black Markets
By using this information, you can add or modify Alert Profiler rules to be more or less sensitive, so that alerts are created according to your specific needs.
The following figures illustrate this process.
The first figure displays all the Alert Profiler rules for Suspected Phishing Domain threats:
There are four active rules. A threat that matches one (or more) of these rules will be elevated to an alert.
The following figure displays the Decision Parameters tab of the ho-mail.jp alert:
This figure shows that the threat matched three (of the four enabled) Alert Profiler rules. The fourth rule is not displayed because it was not relevant in creating an alert, that is, the threat failed the fourth rule.
The following figure displays the Decision Parameters tab of a threat that did not meet the necessary conditions, and thus was not elevated to an alert:
While it is true that threats can be elevated to alerts, there is a major difference between alerts and threats:
- Once an alert has been generated, it will always remain an alert, even if the underlying factors have changed.
- A threat, on the other hand, is dynamic; the same threat that is elevated based on today's facts may not warrant being elevated tomorrow if the underlying factors have changed. For example, if the suspicious domain had an MX record, it could have been elevated to an alert. If that record were later removed, the threat may no longer be alert-worthy.
- For this reason, when one compares an alert to its threat, keep in mind that threats are dynamic, and alerts are static.
This can lead to a situation where a threat is elevated to an alert because it passed Alert Profiler tests. Sometime later, that same threat no longer passes the tests. The alert is still valid, but the threat shows that no alert is warranted.
This effect is described on the threat detail screen: "the alert decision parameters may not be aligned with those of the threat..."
Decision parameters are shown for some threats, too, but they may not match those shown for the related alert:
- For alerts, only matching rules are shown, whereas, for threats, all rules are shown.
- If an alert was created due to an event, that will be shown in the alert decision parameters, but not for the related threat.