Custom Threat Models (Enterprise)
Custom Threat Models are Enterprise-only detection rules that let you go beyond LiteSOC's built-in detectors. You define exactly what constitutes a threat for your application — LiteSOC evaluates every incoming event against your rules in real time.
What Makes a Custom Threat Model?
Every rule has five parts:
| Field | Description | Example |
|---|---|---|
| Event Type | The primary event to watch. Supports wildcards. | auth.login_failed or auth.* |
| Condition | JSONB filter applied to matching events | See Condition Reference |
| Threshold | How many matching events trigger a detection | 5 |
| Time Window | Rolling window in minutes to count events | 10 |
| Severity | Alert severity when triggered | critical, high, medium, low |
Optional: FOLLOWED BY (Chained Events)
For multi-step attack patterns, you can add a second event type that must be observed after the first threshold is crossed:
| Field | Description | Example |
|---|---|---|
| Chained Event Type | The event that must follow | auth.login_success |
| Chain Time Window | Max minutes between primary and chained event | 15 |
When both conditions are met — e.g. 5 failed logins followed by a successful login within 15 minutes — LiteSOC fires a CRITICAL "Account Compromise Detected" alert, regardless of the configured severity. The detection correlates the chained event to the same actor or IP that triggered the primary threshold.
How Rules Are Evaluated
Rules are evaluated in-memory on every worker batch (runs every 30 seconds). LiteSOC never performs database-side JSON filtering for evaluation — the entire condition tree is resolved in Node.js against the live event batch, making evaluation extremely fast even for complex nested logic.
Redis counters track rolling counts per (orgId, modelId) key, automatically expiring after the configured time window. Sentinel keys for chained rules carry a TTL equal to the chain time window, ensuring no state ever persists beyond 24 hours.
Plan Requirements
Custom Threat Models are available on the Enterprise plan only. All rules you define are scoped to your organisation — other tenants cannot see or be affected by your rules.
Next: Metadata Filtering →