Views:

Add custom detection signals that are unique and critical to your environment.

Procedure

  1. On the Detection Signals tab, click Add Signal.
  2. Specify a name for the signal and optionally provide a description in the Basic Properties area. The name can help clearly identify what signals deviating from normal behaviors that you want to detect.
  3. In the Signal Definition area, define the signal.
    1. Select a condition field from the drop-down list.
    2. Select the desired operator from the drop-down list.
      Available operators include both integer value comparison operators and string value matching operators. For example, means that the condition field contains an integer that less than or equal to the specified integer value.
    3. Enter or select the desired value as a string or integer if necessary.
      The following table describes the supported conditions
      Condition Field
      Operator
      Description
      Sender domain activity within the past 30 days
      The sender's domain in the From header field of an email has exhibited activity for less than or equal to the specified days in the past 30 days.
      Default value: 5. Range: 0 - 30. Unit: days.
      For example, setting the value to 0 means that the sender domain has not shown any activity in the past 30 days.
      Sender address activity within the past 30 days
      The sender's address in the From header field of an email has exhibited activity for less than or equal to the specified days in the past 30 days.
      Default value: 5. Range: 0 - 30. Unit: days.
      For example, setting the value to 0 means that the sender address has not shown any activity in the past 30 days.
      Sender domain registration age
      The sender's domain in the From header field of an email was newly registered within the specified days.
      Default value: 7. Range: 1 - 366. Unit: days.
      For example, setting the value to 1 means that the sender domain has just been registered within the past 24 hours.
      Email traffic direction
      • Is
      • Is Not
      The email traffic to detect anomalies is incoming emails, outgoing emails, or internal emails.
      Setting the condition Email traffic direction Is Incoming means the emails that are from external senders outside your organization.
      Setting the condition Email traffic direction Is Sent means the emails that are sent to external users outside your organization or to internal users within your organization.
      Setting the condition Email traffic direction Is Not Sent means the emails that are from external senders outside your organization or internal senders within your organization.
    Note
    Note
    Currently, you can configure only one condition in the signal definition.
  4. View and confirm that the signal definition meets your requirement.
  5. Click Save.