Apply Conditions Based on Relations
CTIX allows to apply multiple conditions using multiple threat data objects based on the relationship among them. Use this scenario to run a rule for objects that may have multiple relations with other threat data objects.
Before you Start: Ensure to create a regular condition as defined earlier. For more information, see Create a New Rule.
To apply conditions based on relations, do the following:
Hover below the condition box, and click +Condition.
In the Select Source of Related Object box, do the following:
Select a source and collection for the related object.
Select from one of the following to set the duration of the relation between the objects:
Created: Select the creation period of the relation between the objects.
Modified: Select the modification period of the relation between the objects.
Custom: Enter the custom value in either days or hours based on the requirement.
For example, run a rule if a condition is applied for the objects whose relation is created within the last 24 hours.
In the Condition box, do the following:
Select an intent type from the drop-down to define the related object.
Select a rule type from the drop-down to define the property of the related object.
Select a selector from the drop-down to define the comparison unit.
Enter a value to compare.
Enable Select Object for Actioning to perform the defined rule action on the related object.
While applying conditions based on relations, you can choose to use this option on anyone or both objects. Based on your selection, the rule applies to the selected objects.