How do I differentiate between Accurate and Broad mode alerts for curated rules

Question

Maybe it's a simple question, but I'm not getting a straight answer.

I have a Google base rule enabled in one environment. By enabling a rule in both modes (Precise and Broad) I'm receiving detections, but how do I identify the mode from which the alert originated? Should I look at a specific field when querying the detection via API?

_K_O · Accepted Answer

Hey @chicoqueiroga ,

In general, the rule sets will show both precise and broad for the enabled rules and alerting categories (if you enabled them):

Based on the Rule set, you can go into the Dashboard to view the distinct rules associated with the set. These should only have a broad OR precise tag associated with the specific detection vs the entire rule set.

Rule sets can have broad and precise rules enabled even if the individual detections within the set only have one type of rule available (e.g. only Precise rules are actually available).

As an example, the Windows Threats - Initial Access rule set has both precise and broad enabled:

However, if you dive deeper into the rule set, you can see that there is only a single precise rule available within the ruleset at this time:

Hope this helps!

chicoqueiroga · Answer

Thank you @_K_O!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded