Adding a custom detection signal

On the Detection Signals tab, click Add Signal.

Specify a name for the signal and optionally provide a description in the Basic Properties area. The name can help clearly identify what signals deviating from normal behaviors that you want to detect.

In the Signal Definition area, define the signal.

Select a condition field from the drop-down list.
Select the desired operator from the drop-down list.

Available operators include both integer value comparison operators and string value matching operators. For example, ≤ means that the condition field contains an integer that less than or equal to the specified integer value.

Enter or select the desired value as a string or integer if necessary.

The following table describes the supported conditions

Condition Field	Operator	Description
Sender domain activity within the past 30 days	≤	The sender's domain in the From header field of an email has exhibited activity for less than or equal to the specified number of days in the past 30 days. Default value: 5. Range: 0 - 30. Unit: days. For example, setting the value to 0 means that the sender domain has not shown any activity in the past 30 days.
Sender address activity within the past 30 days	≤	The sender's address in the From header field of an email has exhibited activity for less than or equal to the specified number of days in the past 30 days. Default value: 5. Range: 0 - 30. Unit: days. For example, setting the value to 0 means that the sender address has not shown any activity in the past 30 days.
Sender domain registration age	≤	The sender's domain in the From header field of an email was registered for less than or equal to the specified number of days. Default value: 7. Range: 1 - 366. Unit: days. For example, setting the value to 1 means that the sender domain has just been registered within the past 24 hours.
Email traffic direction	Is Is Not	The email traffic to detect anomalies is incoming emails, outgoing emails, or internal emails. Setting the condition Email traffic direction Is Incoming means the emails that are from external senders outside your organization. Setting the condition Email traffic direction Is Sent means the emails that are sent to external users outside your organization or to internal users within your organization. Setting the condition Email traffic direction Is Not Sent means the emails that are from external senders outside your organization or internal senders within your organization.
Reply-To domain activity within the past 30 days	≤	The recipient's domain in the Reply-To header field of an email has exhibited activity for less than or equal to the specified number of days in the past 30 days. Default value: 5. Range: 0 - 30. Unit: days. For example, setting the value to 0 means that the Reply-To domain has not shown any activity in the past 30 days.
Reply-To address activity within the past 30 days	≤	The recipient's address in the Reply-To header field of an email has exhibited activity for less than or equal to the specified number of days in the past 30 days. Default value: 5. Range: 0 - 30. Unit: days. For example, setting the value to 0 means that the Reply-To address has not shown any activity in the past 30 days.
URL domain registration age in email	≤	The domain of any URL in an email was registered for less than or equal to the specified number of days. Default value: 30. Range: 1 - 366. Unit: days. For example, setting the value to 1 means that the domain of at least one URL in an email has just been registered within the past 24 hours.
Sender address	Is In Is Not In	The sender's address of an email is or is not in the specified email address list. A maximum of 50 email addresses is supported. The asterisk () wildcard is supported to represent zero or more characters in the local part and domain of an email address, for example, `@example.com`, `name@.com`, and `@*.example.com`

Note

Currently, you can configure only one condition in the signal definition.

View and confirm that the signal definition meets your requirement.

Click Save.

Procedure

Note