Alert Profiler Rule Creator

Use the Alert Profiler rule creator to fine-tune which threats are elevated to alerts.

The rule creator is a straightforward, graphical way to create “If...Then” statements: If a threat matches the conditions, then create an alert.

You can also simplify statements by applying a “group” to conditions (akin to putting them inside parentheses). Use the Add Group option for this.

The following terms apply when creating rules:

AnyCreate an alert if ANY of the conditions are met. This is like the “OR” operator used between logical conditions and is commonly used to expand the detection and creation of alerts for those cases.
AllCreate an alert only if ALL the conditions are met. This is like the “AND” operator used between logical conditions and is commonly used to reduce the detection and creation of alerts for those cases.
FeatureProperties of the examined domain, for example, domain name or the website behind it.
OperatorThe logical test condition, for example, “does it contain” or “does it not contain”. You can create a condition that requires a certain property of the examined domain to have a certain value. If that condition is met, the result is true.
ValueWhat is being matched against, for example “MX record” or “Company asset”. After selecting certain values, another field is displayed for required input.

The following are sample rules. For information on how to create rules, see Adding Alert Profiler rules.

Rule creator example 1 The following figure shows the Suspected Phishing Domain with MX record rule (part of the Suspected Phishing Domain threat scenario):

![temporary placeholder](/threat-command/images/etp_alert_profiler_phishing_creation.png)
Click the rule to view its properties:
![temporary placeholder](/threat-command/images/etp_profiler_phishing_MX_record_explained.png)
| **Section** | **Description** |
| --- | --- |
| 1 | Name and description. |
| 2 | Selecting all requires a match for all conditions. |
| 3 | Did the Threat Command internal detection algorithm determine that this domain is a phishing domain? |
| 4 | Does the domain contain an MX record? This condition was added by clicking**Add condition**(5). |
| 5 | You can add additional conditions or groups of conditions. |
| 6 | If the threat matches all conditions, then an alert will be created with high severity. |
| 7 | If an alert is created, the specified tag will be added to it. |
This is one of the default rules for suspected phishing domains. If the current rules create alerts that are not relevant for your business needs, you can define additional conditions (in this rule or in another enabled rule). If the current rules are not picking up threats that should be elevated to alerts, you can loosen up the requirements to generate an alert, perhaps by changing all to any or by removing one of the current conditions.

Rule creator example 2

The following figure shows the properties of a custom rule that uses ALL and ANY as well as a condition group:

temporary placeholder

This rule, from the ACME company, was created as a group, by using Add Group instead of Add Condition.

The rule can be read as:

If (1) the Threat Command internal detection algorithm determined that this domain is a phishing domain OR if (2) the domain name includes acme) AND (3) the domain contains an MX record, THEN (4) create a high severity alert with a tag, as specified.

Rule efficacy

You can use the Alert Profiler Match count column to determine how well a rule works, both before and after enabling the rule. This is illustrated in the following figure: temporary placeholder

  • Area 1
  • As soon as a rule is created or changed, and before it’s enabled, it is tested against threats in the database (maximum 10,000 threats). The estimation in the Match count column can indicate how broad the rule is (catching too many threats) or how narrow it is (catches too few threats) or if it has bugs (provides strange results).
  • This estimation process, which runs in the background, can take some time, depending on the size of the threat database. The matches are against threats already in the system, so the results can differ from future expected performance.
  • Area 2 
  • When the alert estimation is complete, a final estimate is displayed, as the <number of matched threats/total number of threats currently in the system>.
  • Area 3
  • When a rule is enabled, the count returns to zero. The actual number of new threat matches updates as more matches are made.

When you click any of the numbers in the Match count column, a list of matching threats is displayed. You can click a threat to see its details in the Threats page.

The Match count number is reset every time a change to a rule is made.