How to Create a Custom Strategy
Custom strategies allow you to tailor how the AI analyst interprets, investigates, and concludes on specific alert scenarios. This feature is essential for encoding your organization’s tribal knowledge, reducing false positives, and ensuring consistent outcomes for recurring situations.
1. Accessing Custom Strategies
To get started:
Navigate to the Settings section of the platform.
Select Custom Strategies from the menu.
Here, you’ll see a list of existing strategies as well as the option to create a new one.
2. Defining When the Strategy Applies
Each custom strategy is triggered by specific conditions. You can define these conditions using one or both of the following methods:
Scenario Description
Provide a plain-language description of the situation the strategy should apply to.
Example:
“User has an impossible travel alert”
This description helps the AI analyst understand the intent and context of the strategy.
Filters
Use structured filters to target a broad or narrow set of alerts. Common filter fields include:
Attack surface
MITRE tactic
Alert source
Insight tags
Examples:
All Microsoft Defender phishing alerts
Only Proofpoint phishing attempts
You can combine scenario descriptions and filters for more precise targeting.
3. Specifying Investigative Questions (Optional)
You may require the AI analyst to ask specific questions during the investigation phase. These questions ensure the investigation aligns with your organization’s unique requirements.
Examples:
“Did the user pass an MFA check?”
“Has this IP address been seen in the environment in the last 30 days?”
When defined, these questions are explicitly addressed as part of the investigation workflow.
4. Setting Analysis Guidance and Outcomes
Define how the AI analyst should conclude when the strategy matches.
Conclusion State
Force a specific outcome based on your policy:
Benign
Suspicious
Malicious
Example:
Always mark student video game detections as benign.
Priority (If Supported)
Assign a priority level to matched alerts.
Example:
Escalate all VIP executive alerts to Urgent.
Insight Tag Rules
Use meta-analysis tags to further refine:
When the strategy applies
What outcome or priority should be enforced
5. Saving and Testing Your Strategy
Save the strategy. It will appear in your list of custom strategies.
Enable or disable the strategy as needed.
6. Best Practices
Use clear, plain language in scenario descriptions to make strategies easy to understand and maintain.
Regularly review and remove outdated strategies to ensure ongoing relevance and accuracy.
Pair custom strategies with context memory for optimal results:
Context memory stores facts.
Strategies encode conditional (“if/then”) logic.
Start with broader strategies and refine them over time as you observe outcomes and gather investigation feedback.
Example Use Cases
Automatically mark all alerts from a known vulnerability scanner IP as benign.
Escalate all suspicious login alerts for VIP users to urgent priority.
Require additional investigation steps for impossible travel scenarios.
For additional guidance or troubleshooting, consult the in-platform documentation or reach out to your technical support contact.
Last updated
Was this helpful?