'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
/
How do I write my own detections?
You can use the Push platform to write your own custom detections by creating rules in YAML format using the Custom detections option on the Controls page of the Push admin console.
Custom detections allow you to target browser-based threats or use cases specific to your organization. Custom detections can be created to target specific elements of the page DOM, as well as HTTP requests and responses.
How to create a custom detection
From the Controls page, select Custom detections and click Add detection.
Enter a Detection event name. This is the name that will appear as detection events when opening a Custom detection on the Detections page. Push will automatically generate a Detection event type from the name you choose. For example, if you name the detection ‘CSS selector,’ the detection event type will be CUSTOM_CSS_SELECTOR. You can also use the value to filter webhook events.
Note that the detection name cannot be edited after creation. To rename a detection, delete it and recreate it with the new name.
Then enter your rule configuration in YAML format in the Rule configuration field. Refer to our developer docs for supported format and examples.
Then configure at least one control rule to determine the scope and mode of the detection.
Finally, save the configuration. Push will validate your configuration and show an error if any rules are invalid.
Note: A team can have up to 50 custom detections. Each detection supports up to 100 rules in its configuration and the configuration must not exceed 10 KB.
How to create a control rule
Control rules define which employees the detection applies to and what happens when it fires. Rules are evaluated in order, and the first matching rule applies.
For custom detections, you can configure rules for Mode (Monitor, Warn, or Block); Severity (Low, Medium, High, or Critical); and Scope (all employees, employee groups, or specific individuals).
For Warn and Block modes, you can configure your own custom text for the warn or block page.
When testing a rule for the first time, you may wish to narrow the scope to a test group.
Viewing and consuming custom detections
Events for custom detections appear on the Detections page. You can filter the Detection type using the dropdown option.
To consume custom detections into your SIEM, SOAR, or other downstream system, enable Custom detection via the Push webhooks.