Rules on Custom Objects
Notice
This feature is available in Intel Exchange v3.7.5.1 onwards.
You can define automation rules using custom objects in Intel Exchange. This allows you to apply conditions and actions on custom-defined data, extending automation beyond standard SDOs.
Before you Start
Ensure that you have view, create, and update rule permissions to access Rules.
Steps
To create a rule using a custom object, follow these steps:
In the Main Menu, select Rules under Actions.
Click New Rule and enter a title for the rule.
Click Add to create the rule.
Select Source and Collection as conditions to define the repositories against which the rule matches threat intel. You can select one or more sources, such as AlienVault or VirusTotal.
To define the trigger for the rule, add a condition by either hovering over the Source and Collection section and clicking Condition, or expanding Conditions in Components in the left panel. Select the condition you want to apply.
Enter the following to define the condition:
Select the Intent Type as the custom object.
Select a Rule Type from the dropdown to define the condition on a custom object. By default, the custom object’s primary attribute is selected. You can change this to any active attribute associated with the object.
Note
The list of Custom Attributes for a specific Custom Object Type is dynamically populated based on the Active status of the custom attributes. If a custom attribute is disabled or a custom attribute is unmapped from the object, it will not appear in the rule configuration.
Choose a Selector from the drop-down. The available selectors vary based on the data types of the selected attribute. For more information, see Selector Behavior Based on Attribute Type.
Enter a Value.
Enable Select Object for Actioning to perform the defined action on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
Note
If the intent type is Campaign or Report, the Select Object for Actioning option prompts you to choose a specific object type within them. These intent types can include multiple threat data objects, including custom objects.
You can apply multiple conditions using AND, OR operators, or by clicking +Condition in the condition box based on relations. For more information about conditions, see Apply Conditions Based on Operators and Apply Conditions Based on Relations.
To specify the action triggered when a rule's conditions are met, hover over the condition box and click + Action, or go to Components > Actions in the left pane and select an action such as Publish to Collection, Send Email, or other Intel Exchange supported actions.
Based on the selected action, select an Application to run the rule, such as Intel Exchange, Collaborate, and more.
Note
To select an application, you must integrate Intel Exchange with third-party applications under Administration > Integration Management > Tool Integrations.
Select an Account to specify the application instance to run the rule.
Note
The account list is populated based on the selected application.
Click Save.
When you edit a rule, only active custom object types and attributes are displayed.
Selector Behavior Based on Attribute Type
The following table lists the selector options and expected values, which vary based on the data type of the attribute selected in the rule condition.
Custom Attribute Type | Selectors Available | Value |
|---|---|---|
Input (Float) | EQUAL, GREATER THAN, LESSER THAN, GREATER THAN EQUAL, LESSER THAN EQUAL | Enter a float value. For example, 9.34. |
Input (Integer) | EQUAL, GREATER THAN, LESSER THAN, GREATER THAN EQUAL, LESSER THAN EQUAL | Enter an integer value. For example, 9. |
Input (Boolean) | EQUAL, NOT EQUAL, ALL | Select one value: TRUE or FALSE If ALL is selected, no value is required |
Input (String) | EQUAL, CONTAINS, ALL | Enter a string value.
|
Single Select | EQUAL, NOT EQUAL, ALL | Select one value from the list If ALL is selected, no value is required |
Multi Select | EQUAL, NOT EQUAL, ALL | Select one or more values from the list If ALL is selected, no value is required |
JSON | ALL | No value input is required |
Rules created using custom attributes (based on their attribute type selectors) are supported for the following rule types:
Trigger on Manual Updates
Manual Run Rule
Automated Rules