Views:

Trigger Workbench alerts based on user-defined event filters.

Custom Models (XDR Threat InvestigationDetection Model ManagementCustom Models) lists your organization's custom detection models.
Custom models consist of:
  • Basic information
  • A user-defined custom filter
  • The number of events required to trigger an alert
  • How often to apply the filter query to activity data
  • Other parameters
The following table outlines the actions available on Custom Models:
Action
Description
Add a custom model
Click Add to create a custom model.
Important
Important
You can create a maximum of 50 custom models.
Filter custom models
Use the Search filters to locate specific detection models.
  • Severity: The severity level of the detection model
  • Status: The status of the detection model
  • Last updated: The period of time when the detection model was last updated
  • Search: Provides partial matching for the model ID, name, or filters
Enable or disable a model
Toggle to enable or disable the detection model
Edit a custom model
Click the edit icon (edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png) for the model.
Important
Important
Workbench alerts previously triggered by a custom model do not reflect changes to the model's name or description.
Delete custom models
Select the models and click Delete.
Deleting a custom model does not delete the custom filter used by the model.