Create a Continuous Detection and Response Rule

You must have the Organization Admin role to create CDR rules.

1. Go to Manage > Continuous Detection.
2. Click Add Custom Rule.
3. Enter a Custom Rule Name and an optional Description.
4. Decide how long a time period should pass before the CDR rule should expire:
   • Enter a number for days of inactivity. If no messages match the rule for the number of days you enter, the rule will expire at the end of the number of days you enter here.
   • Select Never expire to make the rule permanent.
5. If you have insider impersonation enabled for your organization (see Messages Settings for more information), select the message directionality that you want the rule to apply to.
6. Select the Message Direction for the rule.
7. Select the action that you want to apply to messages that match the rule.
8. Enter the rule description, which is a search expression using a domain specific language (DSL). See Domain Specific Language Reference for details.
9. Click Preview Messages.
10. At this point, Cloud Email Protection compiles a list of all messages currently in its data store, which is the past 60 days, that matches the CDR rule so you can review the results and see if the rule you designed matches your intent.
11. Click Add Custom Rule.

After a few minutes, you can view the newly created event on the Continuous Detection and Response page. (Click the My Custom Rules tile to filter the list by just CDR events created from custom rules.) The source of the CDR event will be Custom Rules and the Conditions will be the search expression you entered in the CDR rule.