I would like to start and creating custom rules, because right now the basic only provide authentication alerts. I was trying to create a custom alert like this:
where(connection_status=DENY) groupby(source_address) having(count>20) timeslice(3m)
Now, I read on documentations that having clause is not available in custom rules yet. Is there another way to create the custom alert I want?
Second thing, if anyone has custom rules to share, please share with me. I know I’ll have to modify them a bit to fit me, but still, just to get the ideas of what can be done will be amazing.
we are currently in Early access with a new feature called Custom Detection Rules, this allows users to create alerts such as the one you mentioned above, effectively a thresholded count on the number of unique sources over a defined timespan.
We can get the early access enabled for your Org if you like.
I have an open case regarding this issue and Tony from support purpose to me an early access. Just waiting for his/her confirmation about it.
I’ll appreciate if you could promote it.
