Skip to main content

Cyware Threat Intelligence eXchange

Create a New Rule

You can create a rule to automate the action when a defined condition is met. You can also add multiple rules.

Before you Start

Ensure that you have the view, create, and update rule permissions to access Rules.

Note

Some steps may differ based on your selection of conditions and actions.

Steps

To create a rule, follow these steps:

  1. Go to Main Menu > Actions > Rules.

  2. Click New Rule

  3. Enter a unique name to identify the rule, and click Add.

  4. Select a source and collection to poll threat intel. Sources and collections define the repository to poll the threat intel for the rule.

    You can select single or multiple sources to poll threat intel. For example, Alien Vault or Virus Total.

  5. To trigger the rule, add a condition by selecting one under Conditions on the left side of the screen, or by hovering below the source and collection box.

  6. Fill in the following to define a condition:

    1. Select an intent type from the drop-down to define the object.

    2. Select a rule type from the drop-down to define the property of the object.

    3. Select a selector from the drop-down to define the comparison unit.

    4. Enter a value to compare.

    5. Enable Select Object for Actioning to perform the defined action on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.

      Note

      If the intent type is report or note, Select Object for Actioning prompts you to further select an object to apply the condition. Since a report and note consist of multiple threat data objects, you can choose to apply conditions on a specific object type inside that report or note.

      You can apply multiple conditions using AND, and OR operators, or using the +Condition option below the condition box based on relations. For more information about conditions, see Apply Conditions Based on Operators and Apply Conditions Based on Relations.

  7. To define an action after a condition has been met, add an action by hovering below the condition box or expand Actions under Component on the left side of the screen and select an action, such as trigger playbook, update active list, send an email, or more.

  8. Based on the selected action, select an application to implement the rule, such as CTIX, CSAP, and more.

    To select an application, you must integrate CTIX with third-party applications under Administration > Integration Management > Tool Integrations.

  9. Select an account to specify the application instance to run the rule.

    Note

    The account list is populated based on the selected application.

  10. Click Save.

You can view the created rule under Rules