Views:

Trigger Workbench alerts based on user-defined event filters.

Custom Models (XDR Threat InvestigationDetection Model ManagementCustom Models) lists your organization's custom detection models.
Custom models consist of:
  • Basic information
  • A user-defined custom filter
  • The number of events required to trigger an alert
  • How often to apply the filter query to activity data
  • Other parameters
The following table outlines the actions available in Custom Models:
Action
Description
Add custom models
Click Add to create a custom model.
Important
Important
You can create a maximum of 50 custom models.
Export custom models
  • To export all custom models, click export_button=GUID-C683DEEE-C19C-484D-A5B1-4CA9D1794756=1=en-us=Low.jpg.
  • To export some custom models, select one or more models and click Export Selected Models.
Import custom models
Click Add models and select Import from computer from the drop-down menu to import ZIP files.
Filter custom models
Use the following options to locate specific models:
  • Severity: The severity level of the detection model
  • Status: The status of the detection model
  • Last updated: The period of time when the detection model was last updated
  • Search: Provides partial matching for the model ID, name, or filters
Enable or disable models
Toggle to enable or disable the detection model.
Edit custom models
Click edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png to edit a model.
Important
Important
Workbench alerts previously triggered by a custom model do not reflect changes to the model's name or description.
Delete custom models
Select the models and click Delete.
Deleting a custom model does not delete the custom filter used by the model.
Related information