Define alert generation threshold

  • Updated on Mar 4, 2025
  • Published on Jun 4, 2023

Alerts are created when a lead hits the alert generation threshold, deeming it worthy of your attention. The threshold is measured by the lead's Confidence level, so that once the defined confidence level is reached, an alert will be created.

The threshold is different for each lead, depending on its detector settings and the global platform threshold.

Threshold types

We can separate the alert generation threshold to 3 types:

  • Built-in threshold - Most detectors have a built-in alert generation threshold defined by Hunters, so that in most cases, you will be able to see alerts in the SOC Queue even without setting up your own threshold.
  • Custom threshold - If the default threshold is not accurate enough, Hunters allows you to fine-tune these settings and define your own threshold to optimize your SOC Queue so it fits your security team's specific requirements. You can determine when a lead will graduate into an alert on two levels:
    • Per detector - For each detector, you can determine from which confidence level the lead will become an alert.
    • Globally, for all detectors - You can define the global threshold from which all leads will become alerts. This is relevant only for leads without a detector-specific setting.

Alert generation per detector

Each detector has its own set of Alert Settings, which include the following parameters:

  • Enabled: When turned off, this detector will not generate alerts.
  • Confidence Threshold: This parameter determines the minimum confidence level required for a lead generated by this detector to be considered an Alert. For example, depending on the different enrichments and scoring flows applied, the same detector may generate leads with a confidence level of "Unlikely" as well as leads with a confidence level of "Very Likely". If the Confidence Threshold is set to "Likely", leads with a confidence level of "Unlikely" will not be marked as Alerts, while leads with a confidence level of "Very Likely" will be designated as Alerts.


To adjust alert generation per detector:

  1. Navigate to Knowledge Center > Detectors.
  2. Find the specific detector and click to open its settings.
  3. Click Scoring and Alert Generation.
  4. Under the Create your alerts section, determine the new confidence level for generating alerts.
  5. Click Apply from the top of the page.


Global alert generation

In addition to the per-detector settings, you can configure the Global Alerts Threshold, which allows you to set the default confidence by which any Lead (that doesn't have specific settings) will become an Alert.

❗️Global Setting

This is a global setting, and will update the setting for your entire organization.



To adjust global alert generation for all detectors without a specific setting:

  1. Navigate to Security Operations > SOC Queue.
  2. Click Set Alerts Threshold.
  3. Determine the new confidence level for generating alerts and click Set.
⚠️ Attention

When alert settings change, the new settings will be applied retroactively:

  • If an existing lead is considered an alert due to the new settings, it will appear in the SOC Queue.
  • If an existing alert stops being considered an alert due to the new settings, it will disappear from the SOC Queue.

The lead generation process can be described as follows:
image