Create Alerts from Events
You can cause an additional alert to be created when a specific event has taken place in a previously-reported alert. For example, you may want a new alert to be opened for a suspicious phishing domain for which an alert was raised previously, if that domain has a new MX record or if the registrant name has been changed. You can also set the severity of that new alert.
This feature is relevant to the Phishing Domains and the Vulnerabilities threat scenarios.
Event-activated alerts can override Alert Profiler rules. For example, if a previously-existing alert of type A now has an event-activated alert of type B, that event will generate a new alert of type B, even if an Alert Profiler rule negates the creation of alert type A.
You can create a new alert when any of the following events have taken place:
Threat Scenario | Event |
---|---|
Phishing Domains | - A record changed Any change was made in an A record. - MX record changed Any change was made in an MX record. - Registrant name changed The registrant of the domain was changed. - Registrar name changed The registrar name was changed. - Website content changed The content on the website was changed significantly. |
Vulnerabilities | - Exploit is available When an exploit is discovered for a certain vulnerability. - CVE is trending When the vulnerability is trending (daily, monthly, etc.). - IntSights score increase The IntSights score has increased. - CVSS score increase The CVSS score has increased. |
For Phishing Domains alerts, the name of the event that triggered the alerts is shown in the alert's Decision Parameters tab.
To create alerts from events:
From the Automation > Alert Profiler page, enable Trigger additional alerts, then click Modify.
Select other events to enable and set the severity to apply to the new alert. -
Click Save Updates.
If an alert was generated by an event, the tab will indicate that, and will not show the rules that were matched. For more information, see Decision Parameters.