Define custom scoring rules

Hunters allows you to create custom scoring rules to affect the Confidence level of leads. You can use them to affect the way leads appear in your system, determine whether they should be ignored, their confidence be elevated, and so on.

Custom scoring rules are applied per detector and can leverage lead attributes and Hunters' auto-investigation results.

You can add more than one scoring rule per detector. For this purpose, we've created the below actions hierarchy, used to settle contradicting rules and determine the priority of each rule.

Action	Effect	Priority
Ignore	If a lead matched an “ignore” rule, it will be removed and won’t be processed further	1
Set	If a lead matched a “set confidence” rule, this will be the final confidence, with no further processing. Note: In a case when multiple Set rules are matching a lead, the rule with the higher Confidence level will take priority.	2
Increase/Decrease	These rules can complement one another in a layered approach, in addition to Hunters' scoring models that can also increase or decrease the lead’s scoring	3

Create a new custom scoring rule

You can create custom scoring rules directly through a lead seen in the system or from the Detectors page.

To create a new custom scoring rule:

Navigate to Knowledge Center > Detectors.
Hover over the detector for which you want to add a custom scoring rule and click Custom Scoring.
The detector's scoring rules will be displayed.
Click NEW RULE.

Fill in the following fields:

Name - give an informative name for the rule.

Action - decide which action will be performed when this rule is applied.

You can use the following actions:

Action	Description
Ignore	Ignore and prevent new and existing matching activity from generating leads
Increase confidence	Increase the final confidence level by 1
Decrease confidence	Decrease the final confidence level by 1
Set confidence	Assign a constant confidence level (overrides all other scoring models)

Define when the rule will be applied. Select the attribute, the operator, and the value. See a list of operators and functions below.
📘About Attribute selection
The Attribute dropdown list contains 2 types of attributes:
- Attributes originating from the initial lead, for instance cs_agent_id.
- Attributes that are added after the automatic investigation process is completed, such as local_host.agent_id.
Automatic investigation attribute names will be structured as follows: abc.xyz, while initial lead attributes will not have a dot as part of the name. It's important to distinguish between the two, as some of the names might be similar.
Selecting the appropriate attribute will provide you with greater accuracy in applying scoring rules. For instance, if you wish your scoring rule be applied to leads on the initial phase, use the initial lead attributes. If you want to leverage the automatic investigation data to impact the score, use the automatic investigation attributes.
Note that automatic investigation attributes will create a delay in applying the custom scoring rule, as they can be applied only after the automatic investigation process in complete.
Define on which data timeframe to run the rule.
Click the play button to test the rule and adjust the definitions if needed.
Once done, click Apply rule.

🚧 Attention

If a custom Ignore rule is based on entities it will be applied during the Advanced Automatic Investigation step, after a lead and an alert have already been created. This will result in the following message: "As a result of a custom scoring rule, the lead was not further investigated and was removed."

This lead will be approachable only through a direct link to maintain consistency in understanding the attack.

Learn more about Automatic Investigation.

📘Learn more

You can create a custom scoring rule straight from the lead, by clicking the arrow next to the lead attribute and then clicking Add Custom Scoring.

Operators and functions

Use the below operators to define when the rule will be applied.

Operator	Function	Example
LIKE (case insensitive)	Include only rows with attributes that are similar to the specified value, regardless of the letter case.	To apply the rule when the target file path includes the term 'Audit', use: `target_file_path LIKE (case sensitive) %Audit%`
LIKE	Include only rows with attributes that are similar to the specified value. Allows searching for patterns instead of full equality using the symbol %. Equivalent to the SQL LIKE function.	To apply the rule when the target file path includes the term 'audit', use: `target_file_path LIKE %audit%`
NOT LIKE	Include only rows with attributes that are not similar to the specified value. Opposite of the LIKE statement.	To apply the rule when the target file path does not include the term 'audit', use: `target_file_path NOT LIKE %audit%`
INCLUDES	Include only rows with attributes that include the specified value as part of a list. This operator is only available for attributes that are lists.	To apply the rule when a specific cloud awareness event type appears, use: `cloud_awareness_event_types INCLUDES ListSecrets`
MATCHES REGEX	Include only rows with attributes that match the specified regular expression (in Python flavor).
IS ONE OF	Include only rows with attributes that are part of the specified list.	To apply the rule when the target file path contains either '\ProgramData' or '\Users\Public' or '\Desktop', use: `target_file_path IS ONE OF %\ProgramData\%, %\Users\Public\%, %\Desktop\%`
IS EMPTY	Include only rows with attributes with an empty (null) value.	To apply the rule when there is no value for the destination port field, use: `destination_port IS EMPTY`
IS NOT EMPTY	Include only rows with attributes with any value, which isn't empty (null).	To apply the rule when there is a value for the destination port field, use: `destination_port IS NOT EMPTY`