Best Practices for Rules

Enable Run Rule after Enrichment under Basic Details only when you want the platform to evaluate threat data objects based on their Confidence Score and trigger the rule automatically.

Select appropriate sources and collections to trigger the rule only on the relevant incoming feeds. Selecting appropriate sources and collections also allows the platform to avoid any heavy load on the system that may result in slow performance.

Define actions for all sets of conditions to perform required actions on the filtered data.

Refrain from creating multiple rules that accomplish the same task on a similar set of conditions.

Refrain from enabling Allow all Conditions under Basic Details. Instead, define a combination of conditions that meets your requirements. Defining accurate conditions allows the platform to optimize the triggering of the rule and utilize resources judiciously.

Refrain from publishing all IOCs from heavy feed providers, such as Recorded Future, GroupIB, FireEye, Mandiant V4, CrowdStrike, and more. This can result in lowering the performance of the platform.