You can use your policies' rules to create active threat analytics case types, by setting a threshold on specific violation policy rules that have a severity of high in the rule definition, and the rule action is Alert per match.
When the rule threshold is exceeded in any 1 hour, a case is created. The case type is the name of the rule. Cases that are created from a policy rule threshold appear in the active threat analytics cases table, and are treated like any other case.
Changes to installed policies are applied according to the policy schedule. When adding a threshold to a rule in an installed policy, cases are created for violations (according to the threshold) only after the policy is reinstalled.
You cannot define thresholds in the GUI.
This API is available in Guardium V11.2 and later.
REST API syntax
PUTmethod. Call this API as follows:
PUT https://[Guardium hostname or IP address]:8443/restAPI/add_threshold_to_rule
|policy_name||String||The policy that has the rule you want to add a threshold to. Use the API list_policy to view policies.|
|rule_name||String||The rule you want to add a threshold to. Use the API list_policy_rules to view rules.|
|threshold_value||Integer||The threshold at which a case is created.|
grdapi add_threshold_to_rule policy_name=policyAAA rule_name=ruleNNN threshold=25