Rules
You can configure rules to automate alert sharing and receiving tasks when the defined condition occurs. This will help organizations and communities streamline manual tasks and will also enable simplifying complex workflows for alert sharing and receiving.
With the current implementation, analysts can use Rules to share and receive alerts.
You can create two types of rules.
Alert Sharing Rules: This rule type automates the alert sharing process between two CSAP organizations.
Alert Receiving Rules: This rule type automates the process to receive alerts from sharing communities.
You can access the Rules tab from the Community Sharing module of the Management section.
How do Rules help automate sharing tasks?
This section demonstrates the alert sharing process between two CSAP organizations.
An Organization 1 creates API credentials and shares them with Organization 2.
Organization 1 defines the Rule Conditions for receiving Alerts.
Organization 2 uses the credentials to create a Sharing Community.
Organization 2 defines the Rule Conditions for Sharing Alerts.
Organization 2 creates an Alert and if Rules are met either the Alert will Never be shared or it will be Shared with Organization 1. This is based on the Rule Conditions defined by the Admin.
Create an Alert Sharing Rule
Click on the Rules tab and click Create.
Choose Alert Sharing as a trigger for the rule.
Select category and TLP as a logical condition for the rule to run. Based on the selected category, you can also add fields to the condition. You can view the conditions as logical queries in the custom query builder.
Choose appropriate action to run when the conditions are met. For alert sharing rules you choose to share or not share alerts with the selected Trusted Security Circles.
After finishing, click Submit. The rule is successfully created and active now.
How do Rules help automate receiving tasks?
This section demonstrates the alert receiving process between two CSAP organizations.
An Organization 1 creates API credentials and shares them with Organization 2.
Organization 1 defines the rule conditions for receiving alerts.
Organization 2 uses the credentials to create a Trusted Sharing Community.
Organization 2 defines the rule conditions for sharing alerts.
Organization 2 creates an alert and if rules are met either the alert will never be shared or it will be shared with Organization 1. This is based on the rule conditions defined by the admin.
Similarly, when Organization 1 receives the Alert, it will either be auto-published to recipients or saved as a draft based on conditions defined by the admin.
Create an Alert Receiving Rule
Click on the Rules tab and click Create.
Choose Alert Receiving as a trigger for the rule.
Select the required source communities and TLP to define conditions for the rule to run. You can view the conditions as logical queries in the custom query builder.
Choose appropriate action to run when the conditions are met. For alert receiving rules you choose to auto publish alerts or save alerts as drafts with the selected recipient groups.
After finishing, click Submit. The rule is now successfully created and active.
View, Edit, or Clone Rules
You can manage rules from the Rules tab. Hover mouse pointer over a rule on the list to view the below options.
Click on the View Rule button to view details of a rule.
Click on the Clone Rule button to clone an existing rule, make minor changes, and quickly make it active.
Click on the Edit Rule button to modify the details of a rule.
Tip
The Connections data for a rule shows the number of Trusted Sharing Communities or Recipient Groups associate with a rule.