Creating a Custom Model

Create a custom model to define the specific events that you want to trigger Workbench alerts.


This feature is not yet available in all regions.

Custom models are composed of basic information, the user-defined custom filter, and other parameters, such as the number of events required to trigger an alert and how often the filter query is applied to your activity data.


You can create a maximum of 50 custom models.

  1. From XDR Threat Investigation > Detection Model Management, click the Custom Models tab and then click Add.
  2. Specify the General settings.
    1. Type the Model name to identify the model on the Custom Models tab.
    2. Type the Description.

      You can view the description in the details panel that appears when you click the model name in the custom models list.

    3. Select the Severity of the model.

      Selecting a severity of Medium or higher affects the Risk Index in Executive Dashboard and Operations Dashboard. During testing and tuning of the model, select a severity of Low to avoid inadvertently affecting your indexes.

  3. Specify Event filtering settings.

    Currently, only a single event filter is supported. The option to specify multiple filters is coming soon.

    1. Select a custom filter in the Filter name drop-down menu.

      Selecting Create custom filter opens the Custom Filter Settings screen in a new browser tab. After creating the new custom filter, return to the previous browser tab and select the filter.

      For more information, see Creating a Custom Filter.

    2. Specify the Threshold to determine the number of events that must occur to trigger an alert.

      The threshold must be a positive integer greater than 0.

  4. Specify the Event Grouping.
    • Company: Trigger an event when the threshold is met anywhere in your organization.

    • Endpoint: Trigger an event when the threshold is met and associated with a single endpoint.


      Only the 10 endpoints with the most matched events will be included in the event.

    • User account: Trigger an event when the threshold is met and associated with a single user account.


    To reduce alert fatigue, Workbench alerts only include the top targets with matched events. For example, if you group by Endpoint, alerts will include only the top 10 endpoints with the highest number of matched events.

  5. Specify the query Schedule.
    1. Select the Frequency to determine how often the filter queries the activity data.
    2. Specify the Period to determine the span of time that is queried each time the filter is run.

      If you specify a period that is greater than the frequency, it will cause the filter to be applied to previously queried data. This can lead to the same event appearing in multiple alerts.

    3. Select the Status whether to enable the custom detection model after saving the settings.
  6. Click Save.

When enabled, the custom model continuously searches for matched events.


The custom model triggers an alert when an event occurs the number of times specified by the threshold, within the event grouping, and according to the configured schedule. For example, you specify a threshold of 5, group by Endpoint, the period is Last 1 hour, and a frequency of 15 minutes. Every 15 minutes when the filter queries the activity data, an alert would be triggered if the event specified by your custom filter occurs five times on a single endpoint during a one-hour period of queried activity data.