customNovel
Rendered from docs/alerts/customNovel.md
customNovel
Catch-all alert type for “novel” heuristics that don’t map cleanly to a dedicated enum value yet.
Implemented in: src/lib/detection/plugins/novel/* (multiple plugins)
Enabled by default: no (available plugins; enable in the detection service/plugin set)
What it means
A novel detector found behavior that is suspicious, emerging, or not reliably covered by standard detectors.
Why it matters
Attackers iterate quickly. Novel detectors aim to surface new patterns early, even if they require more analyst review.
What to do
- Treat as an investigation starter: review the referenced evidence in context.
- Correlate with other alerts and package metadata (publisher history, download spikes, etc.).
- If the pattern proves stable, consider promoting it to a first-class
AlertType.
Common fields
metadata.detectionTypeis often used to identify which novel plugin emitted the alert