Creating threat categories from policy rules
You can use your policies' rules to create active threat analytics case types, by setting a threshold on specific violation policy rules.
About this task
You can set thresholds on violation rules that have a severity of high in the rule definition, and the rule action is alert per match.
When the rule threshold is exceeded in any 1 hour, a case is created. The case type is the name of the rule. Cases that are created from a policy rule threshold appear in the active threat analytics cases table, and are treated like any other case.
Changes to installed policies are applied according to the policy schedule. When adding a threshold to a rule in an installed policy, cases are created for violations (according to the threshold) only after the policy is reinstalled.
Use the API to define thresholds on rules. You cannot define thresholds in the GUI.