You can use your policies' rules to create active threat analytics case types, by setting a threshold on specific violation policy rules that have a severity of high in the rule definition, and the rule action is Alert per match.

When the rule threshold is exceeded in any 1 hour, a case is created. The case type is the name of the rule. Cases that are created from a policy rule threshold appear in the active threat analytics cases table, and are treated like any other case.

Changes to installed policies are applied according to the policy schedule. When adding a threshold to a rule in an installed policy, cases are created for violations (according to the threshold) only after the policy is reinstalled.

You cannot define thresholds in the GUI.

This API is available in Guardium V11.2 and later.

REST API syntax

This API is available as a REST service with the PUT method. Call this API as follows:
PUT https://[Guardium hostname or IP address]:8443/restAPI/add_threshold_to_rule

GuardAPI syntax

add_threshold_to_rule parameter=value


Parameter Value type Description
policy_name String The policy that has the rule you want to add a threshold to. Use the API list_policy to view policies.
rule_name String The rule you want to add a threshold to. Use the API list_policy_rules to view rules.
threshold_value Integer The threshold at which a case is created.


To add the threshold 25 to ruleNNN in policyAAA:
grdapi add_threshold_to_rule policy_name=policyAAA rule_name=ruleNNN threshold=25