Adding a Custom Rule

Add custom rules based on saved search filters to be alerted of specific threats.


A maximum of 500 custom rules can be added.

  1. Go to Alerts > Custom Rules, and then click Add Rule.

    The Add Rule screen appears.

  2. Toggle the status of this rule.
  3. Type a name for this rule.
  4. Select the alert level to assign to this rule.
  5. Click Select Filter, select a Network Detections or Email Messages saved search to use as criteria for this rule, and then click Apply.

    Subsequent changes made to the selected filter will not be applied after the rule is created.

  6. Do one of the following:
    • For Network Detections saved searches, select the appliances to include as data source of this rule.
    • For Email Messages saved searches, select domains from which email messages should be included in this rule.
  7. Select the frequency at which the rule criteria are checked.
    • Shorter frequencies mean that the alert will be generated more often. Select longer frequencies to reduce the noise the alert generates.

    • Custom rules are configured to immediately generate alerts if rule criteria are met or exceeded. Only the Check frequency can be modified.

  8. Specify the threshold.
  9. (Optional) Type a description for this rule.
  10. (Optional) Select or disable Send to all accounts.

    This setting can be used in combination with the additional recipients field.

  11. (Optional) Select a contact, type to search, or type an email address and press ENTER.

    The contact or account is added to the recipients.

  12. (Optional) Modify the subject line. Compatible tokens are displayed on the right side and can be inserted at the text cursor's position by clicking the token.
  13. Click Save.