Maybe it's a simple question, but I'm not getting a straight answer.
I have a Google base rule enabled in one environment. By enabling a rule in both modes (Precise and Broad) I'm receiving detections, but how do I identify the mode from which the alert originated? Should I look at a specific field when querying the detection via API?
Hey @chicoqueiroga ,
In general, the rule sets will show both precise and broad for the enabled rules and alerting categories (if you enabled them):
Based on the Rule set, you can go into the Dashboard to view the distinct rules associated with the set. These should only have a broad OR precise tag associated with the specific detection vs the entire rule set.
Rule sets can have broad and precise rules enabled even if the individual detections within the set only have one type of rule available (e.g. only Precise rules are actually available).
As an example, the Windows Threats - Initial Access rule set has both precise and broad enabled:
However, if you dive deeper into the rule set, you can see that there is only a single precise rule available within the ruleset at this time:
Hope this helps!
Thank you @_K_O!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.