Custom Rules

Hello World,

I would like to start and creating custom rules, because right now the basic only provide authentication alerts.
I was trying to create a custom alert like this:
where(connection_status=DENY) groupby(source_address) having(count>20) timeslice(3m)

Now, I read on documentations that having clause is not available in custom rules yet. Is there another way to create the custom alert I want?

Second thing, if anyone has custom rules to share, please share with me. I know I’ll have to modify them a bit to fit me, but still, just to get the ideas of what can be done will be amazing.

Thank you all

Hi @diiluz ,

we are currently in Early access with a new feature called Custom Detection Rules, this allows users to create alerts such as the one you mentioned above, effectively a thresholded count on the number of unique sources over a defined timespan.

We can get the early access enabled for your Org if you like.


Hello David,

I would love to get early access.

Thank you,


would you mind raising a support case so as to ensure we enable this setting for the correct org.


I have an open case regarding this issue and Tony from support purpose to me an early access. Just waiting for his/her confirmation about it.
I’ll appreciate if you could promote it.

Thank you very much :slight_smile:

Ah thats great thanks, hopefully we’ll get that enabled ASAP