Precise vs Broad in “Anomalous Network Bytes Outbound” What Actually Drives Alerting?

Additionally, I noticed something confusing:

When only Precise is enabled (Alerting ON) and Broad is disabled, the rule appears active in settings, but in the main view it sometimes still shows Alerting = OFF.

If I enable Broad again, it switches back to ON.

Is the alerting status in the main view reflecting a global rule set state?
Can Precise generate alerts independently?

Could someone help me with that please!

Let me start by touching on the difference between enabled and alerting and then move to broad v precision and your bulleted questions.

Enabling a rule means the rule is “Live”. This means that the rule (or rules if we are talking about an entire rule pack) and being considered by SecOps against your events streaming into the platform. If the rule logic is met by events a detection is created.

A detection does NOT mean that the analyst will get an item in their queue to work, but it means a detection has been created. You can view detections in the platform, analyze them and then determine that you are ready to place detections generated by this rule in front of an analyst, then we can toggle that rule (or entire rule pack) to alert.

This separation facilitates the ability to generate detections for validation before adding to the analyst load but also a key part of composite rules that are basically a rule based on a set of detections versus events.

With that background around Enabled and Alerting, let’s go through the questions you had.

• Does the “B” label simply indicate the rule variant, regardless of whether it is enabled?

P and B are a classification of each rule and your commentary about the signal to noise ratio is correct and the intent around that. It has nothing to do with being enabled.

• When only Precise is enabled, can I safely assume that only that version is actively generating alerts?

If you choose to turn on just Precise rules, that would result in fewer detections but in theory they should be giving you the most important and good fidelity detections. Toggling alerting on for precise rules would generally seem like a good next step but if you think that precise rules are creating too many alerts, then tuning them via exclusions is another way to right size the volume.

• In a given rule set, are Precise and Broad truly separate detection logics, or is Broad just an extension of the same logic with looser thresholds?

You would have to look at the rules individually to assess that, but we really aren’t writing a bunch of rules that are like precise is >9 and broad is >6. There are also instances were rules will graduate from broad to precise as additional testing and telemetry is available or as rules are refined.

• When only Precise is enabled (Alerting ON) and Broad is disabled, the rule appears active in settings, but in the main view it sometimes still shows Alerting = OFF.

Again, enabled and alerting are distinct from one another but a rule pack could be set to precise is enabled and alerting and broad is disabled and not alerting. The new unified rules interface, which is where the yellow toggle you have above originated from, gives you the ability to set a rule pack that might cover 8 rules (for instance), but that interface allows you to have more granularity for individual rules within that pack. For instance, I have 4 precise and 4 broad and I want the 4 precise to be enabled and alerting, and I want three broad to be enabled, but only one of those alerting and the fourth disabled. Setting something like this might show something like what you have above. If you go through the rule pack and the unified rule view and see a mismatch, it is possible there is a bug there that needs to be addressed.

• Is the alerting status in the main view reflecting a global rule set state?

Not sure what the main view is, but alerting for curated detections is at a rule pack level or an individual rule level, there is not a turn alerting on for all rules toggle. You can select multiple rule packs in the curated detections page to enable multiple packs at once but again you choose the status and alerting state.

• Can Precise generate alerts independently?

All alerts with the new unified rule interface can be toggled to alerting on independently of the rule pack.

Hope that helps

Hey again ​@jstoner,
Thanks a lot for the detailed explanation, super helpful 

I think I may still be missing something specific in my case.

For the rule set “Anomalous Network Bytes Outbound”:

• In Settings, I have:
  • Precise → Enabled + Alerting ON
  • Broad → Disabled

    

     

• But in the main Curated Detections view (the list of rule sets), it still shows:
  → Alerting = OFF

  

   

By “main view”, I mean the rule set overview page (where all rule packs are listed, like in the screenshot I shared).

So my question is:

• Should I expect alerts to be generated in this configuration (Precise only)?
• Or does the “Alerting = OFF” in the main view indicate that no alerts will actually be sent?

Just trying to understand which view reflects the effective alerting behavior.

Thanks again!

Thanks for the extra context. That rule pack looks like it has 4 rules within it and all of them are classified as broad, based on the B in the top right corner of each. It is possible that a rule pack only has precise or only broad rules depending upon the rule writers and their testing.

​@melissagr it looks like your’e showing two different screen shots - one from the Content Hub and the other from the Curated Detections page.  The answer to why one thing and not another is actually in the screenshots -- your Settings from the Curated Detections are enabled only for Precise rules, whereas you drew a red box around the item from the Marketplace -- notice the “B” in the corner? That listing of rules are “Broad”.

There’s no conflict, it’s just that you have two different views. The Broad rules are off because you didn’t enable Broad rules in the Curated Detections.

My own advice is to turn all Broad rules on as non-alerting and then monitor them.  You can turn on alerts for non-noisy Broad rules.  Meanwhile you can use Composite Detections to further refine on the Broad rules, figuring out a threshold at which point you get an alert -- like more than X detections in an hour, or more than X rules and an entity risk score greater than Y, or N number of diverse MITRE tags within a period of time (hours/days).

I like to play around with these in Dashboards. I took all detections with MITRE tags, figured out the Z-score for the number of detections per entity, and mapped it out by day where the Z-Score is greater than 1:

So there’s lots of ways to play with Broad detections without getting into Alerts, or figuring out how to alert when something less noisy/more correlated happens.