Define alert generation settings

  • Updated on Mar 7, 2025
  • Published on Jul 3, 2023

Alerts are specific Leads that were marked as highly important and are recommended for triage by the security team.

📘Note

To avoid overloading your mailbox with similar alerts, Alert Email notifications for Alerts have a built-in snoozing mechanism.

This means that if multiple alerts from the same detector are aggregated to one group in the SOC queue, you'll only get an Alert for the first one generated.

When is a Lead considered an Alert?

Some detectors have default Alert Settings configured by the Hunters research group. This allows you to start working with the SOC Queue from day one.
In addition, Hunters allows you to fine-tune these settings in order to optimize your SOC Queue so it fits your security team's specific requirements.

You can determine when a lead will graduate into an alert on two levels:

  • Per detector - For each detector, you can determine from which confidence level the lead will become an alert.

  • Globally, for all detectors - You can define the global threshold from which all leads will become alerts. This is relevant only for leads without a detector-specific setting.


Define alert generation

Alert generation per detector

Each detector has two Alert Settings options:

  • Don’t generate alerts from leads: When selected, this detector will not generate alerts.

  • Generate alerts from leads with confidence greater than or equal to: This parameter determines the minimum confidence level required for a lead generated by this detector to be considered an Alert. For example, depending on the different enrichments and scoring flows applied, the same detector may generate leads with a confidence level of "Unlikely" as well as leads with a confidence level of "Very Likely". If the Confidence Threshold is set to "Likely", leads with a confidence level of "Unlikely" will not be marked as Alerts, while leads with a confidence level of "Very Likely" will be designated as Alerts.

To adjust alert generation per detector:

  1. Navigate to Knowledge Center > Detectors.
    Navigate to Detectors

  2. Find the specific detector and click to open its settings.
    Select a detector
    The detector settings page opens.

  3. From the top of the page, click Edit detector.

  4. Navigate to Scoring and Alert Generation.

  5. Under the Create your alerts section, determine the new confidence level for generating alerts.

  6. Click Apply from the top of the page.

Global alert generation

In addition to the per-detector settings, you can configure the Global Alerts Threshold, which allows you to set the default confidence by which any Lead (that doesn't have specific settings) will become an Alert.

❗️Global Setting

This is a global setting, and will update the setting for your entire organization.



To adjust global alert generation for all detectors without a specific setting:

  1. Navigate to Security Operations > SOC Queue.

  2. Click Queue Configuration.

  3. Determine the new confidence level for generating alerts and click Set.

🚧 Attention

When alert settings change, the new settings will be applied retroactively:

  • If an existing lead is considered an alert due to the new settings, it will appear in the SOC Queue.

  • If an existing alert stops being considered an alert due to the new settings, it will disappear from the SOC Queue.

Recap

Alerts are leads of special significance. It is recommended to handle them as part of your security operations workflows.
Alerts can be generated by changing the global or the per-detector alert settings.
The logic to generate an alert is as follows:
image