Create a New Rule
Create a rule to automate the actioning when a defined condition is met. You can also add multiple rules.
Before you Start: Ensure that you have the view, create, and update rule permissions to access Rules.
Note
Some steps may differ based on your selection of conditions and actions.
Steps
To create a rule, do the following:
From Main Menu, select Rules under Actions.
Click New Rule and enter the following details:
Enter a unique name to identify the rule.
Enter a description with the key details of the functions of the rule.
To easily identify and categorize components in CTIX, add tags.
Click Submit.
Select a source and collection to poll threat intel. Sources and collections define the repository to poll the threat intel for the rule.
You can select single or multiple sources to poll threat intel. For example, Alien Vault or Virus Total.
To define a condition in which the rule gets triggered, add a condition by hovering below the source and collection box or expand Conditions under Components on the left side of the screen, and select a condition.
Fill in the following to define a condition:
Select an intent type from the drop-down to define the object.
Select a rule type from the drop-down to define the property of the object.
Select a selector from the drop-down to define the comparison unit.
Enter a value to compare.
Enable Select Object for Actioning to perform the defined action on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
Note
If the intent type is report or note, Select Object for Actioning prompts you to further select an object to apply the condition. Since a report and note consist of multiple threat data objects, you can choose to apply conditions on a specific object type inside that report or note.
You can apply multiple conditions using AND, OR operators, or using the +Condition option below the condition box based on relations. For more information about conditions, see Apply Conditions Based on Operators and Apply Conditions Based on Relations.
To define an action after a condition has been met, add an action by hovering below the condition box or expand Actions under Component on the left side of the screen and select an action, such as trigger playbook, update active list, send an email, or more.
Based on the selected action, select an application to implement the rule, such as CTIX, CSAP, and more.
To select an application, you must integrate CTIX with third-party applications under Administration > Integration Management > Tool Integrations.
Select an account to specify the application instance to run the rule.
Note
The account list is populated based on the selected application.
Click Save.