Create a custom model to define the specific events that you want to trigger Workbench alerts.
This feature is not yet available in all regions.
Custom models are composed of basic information, the user-defined custom filter, and other parameters, such as the number of events required to trigger an alert and how often the filter query is applied to your activity data.
You can create a maximum of 50 custom models.
You can view the description in the details panel that appears when you click the model name in the custom models list.
Selecting a severity of Medium or higher affects the Risk Index in Executive Dashboard and Operations Dashboard. During testing and tuning of the model, select a severity of Low to avoid inadvertently affecting your indexes.
Currently, only a single event filter is supported. The option to specify multiple filters is coming soon.
Selecting Create custom filter opens the Custom Filter Settings screen in a new browser tab. After creating the new custom filter, return to the previous browser tab and select the filter.
For more information, see Creating a Custom Filter.
The threshold must be a positive integer greater than 0.
Company: Trigger an event when the threshold is met anywhere in your organization.
Endpoint: Trigger an event when the threshold is met and associated with a single endpoint.
Only the 10 endpoints with the most matched events will be included in the event.
User account: Trigger an event when the threshold is met and associated with a single user account.
To reduce alert fatigue, Workbench alerts only include the top targets with matched events. For example, if you group by Endpoint, alerts will include only the top 10 endpoints with the highest number of matched events.
If you specify a period that is greater than the frequency, it will cause the filter to be applied to previously queried data. This can lead to the same event appearing in multiple alerts.
When enabled, the custom model continuously searches for matched events.
The custom model triggers an alert when an event occurs the number of times specified by the threshold, within the event grouping, and according to the configured schedule. For example, you specify a threshold of 5, group by Endpoint, the period is Last 1 hour, and a frequency of 15 minutes. Every 15 minutes when the filter queries the activity data, an alert would be triggered if the event specified by your custom filter occurs five times on a single endpoint during a one-hour period of queried activity data.