Creating threat categories from policy rules

You can use your policies' rules to create active threat analytics case types, by setting a threshold on specific violation policy rules.

About this task

You can set thresholds on violation rules that have a severity of high in the rule definition, and the rule action is alert per match.

When the rule threshold is exceeded in any 1 hour, a case is created. The case type is the name of the rule. Cases that are created from a policy rule threshold appear in the active threat analytics cases table, and are treated like any other case.

Changes to installed policies are applied according to the policy schedule. When adding a threshold to a rule in an installed policy, cases are created for violations (according to the threshold) only after the policy is reinstalled.

Use the API to define thresholds on rules. You cannot define thresholds in the GUI.

Procedure

  1. Identify which policy and which rule you want to use. Use the API commands list_policy and list_policy_rules.
  2. Add or modify the threshold by using the API command add_threshold_to_rule or update_threshold_in_rule. For example, to add the threshold 25 to ruleNNN in policyAAA:
    grdapi add_threshold_to_rule policy_name=policyAAA rule_name=ruleNNN threshold=25

Results

From the next day (after the policy has been updated), when the rule threshold is exceeded in a timeframe of one hour, a case is created.