Alerting workflows

Alerting rules are built on the same rich language as the search queries, allowing you to start your workflow from any major type of IoC, used individually or in combination. For more flexibility, alerting adds the support of regular expressions to this language. Explanations about alerting rules are given further in Matching rules page. To manage alerting rules, you must have the permissions described in Alerting permissions.

Alerting rules are deployed and matched as part of the indexing process, giving matching full visibility into the analysis results. Rule matches are reported through different channels. You have direct access to the matching history through the User Portal as described in Matching results page. You can also configure different proactive notification types depending on how you want to process the data as described in Rule notifications.

The flexibility brought by regular expressions, combined with the notification capabilities open up new use cases, complementing the workflows provided by the search service.

Targeted Attacks Awareness

The analysis results provided by the VMware NSX Network Detection and Response offer great visibility, in particular at execution time where data is loaded in memory. You can leverage this visibility through alerting in order to monitor for company assets and understand if your company is being targeted. Example assets are domain names, email addresses, and names of executable clients. From the rule matches, you gain access to samples targeting your company along with contextual information such as the threat name.

Sample Hunting

If you are interested in particular samples, exhibiting specific IoCs, or using particular techniques, you can use alerting to hunt for them. Through alerting, you can generate feeds of samples that satisfy certain criteria, for example, search for ransomware samples using bitcoin wallets. These can be captured in alerting using the appropriate regular expression. Similarly, when searches are unsuccessful, because samples might not be available yet, you can be automatically alerted when new samples become available without running a periodical search.