Additional Actions for Rules
CTIX offers the following additional actions under Basic Details on the left side of the screen to further filter the threat intel in the rules:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are complete. Run Rule after Enrichment is beneficial when you want to apply the CTIX CONFIDENCE SCORE as the Rule Type while defining a condition. Run Rule after Enrichment action ensures that the rule calculates the confidence score, performs data enrichment, and then runs the rule.
In case you don't select Run Rule after Enrichment and apply CTIX CONFIDENCE SCORE in a condition, then the application runs the rule first without enriching the data and calculating the confidence score and you will not get the exact results.
Note
This action is applicable only when the rule runs automatically. In case you enable this action and try to manually run the rule, the expected results will vary due to the type of rule execution.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects in the application. This option removes the previously selected sources and collections. Triggers on Manual Update will trigger the rule for all sources and collections.
For example, a rule is created to block (action) an indicator (threat object), if the confidence score is greater than 50 (condition). If this condition is met, the corresponding rule is triggered and the action is performed. Now, if the analyst updates the threat data object and if the option Triggers on Manual Update is enabled, the same rule is triggered to take action.
This action only executes on the following manual updates by an analyst:
Update Tag
Update Analyst Score
Update TLP
Deprecate or Undeprecate
Manual Review
Update False Positive
Update Indicators Allowed
Add Analyst Description
Add to Watchlist
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Run Rule Manually Only: Manually runs a rule for indicators only from Threat Data and Threat Investigations. This option triggers a playbook directly using these indicators. When you select this option, the indicators in Threat Data and Threat Investigations display the rules configured with the Run Rule Manually Only functionality.
Note
You cannot run a rule created using Run Rule Manually Only from Rules.
Run Rule Manually Only removes the previously selected sources and collections. It triggers the rule for all sources and collections.