Lookout rules are specific vendor alerts, or signal, that the SOC analysts flag for a closer look in your environment. Lookouts may not be a threat but certainly need to be evaluated. For example, SOC analysts can create lookouts for specific users in your environment who can be targets because of recent press coverage.
Lookouts rules are:
-
Always Expel alert: If a vendor alert matches this rule, Ruxie generates a new Expel alert.
-
Add to: Ruxie adds Expel alerts that match this rule to an existing investigation or incident.
-
Always Expel alert & add to: If a vendor alert matches this rule, Ruxie generates a new Expel alert and adds that new Expel alert to an existing investigation or incident.
Like suppressions, lookouts are created by SOC analysts both for your specific environment and for all customers.
You can view lookouts by selecting Detections > Lookouts.
You can only view the lookouts here. You can't edit or change any of them. If you see a lookout you have a question about, disagree with, or you want removed, select Copy link to rule, and paste in a communication to us.
On this screen, you see the following:
-
Along the top of this screen, you can use the lists to sort the items you view.
-
Active: these green lookouts are active for your environment. If this lookout is one the SOC analysts created for all customers, you see that at the top of the suppression. The rest of the screen shows you the specific rules for this lookout. Lookouts can be very specific and the logic can be quite complicated.
-
Expired: these grey lookouts are inactive for your environment.