Applying different tuning for rules

It might be necessary to apply different tuning for rules in different parts of the system. To apply different tuning for rules, you must duplicate the Asset Reconciliation Exclusion rules that you want to tune and add one or more tests to constrain the rules so that you test only certain parts of the system. For example, you might want to create rules that test only networks, log sources, or event types.

About this task

Always be cautious when you are adding new rules to the system because as some tasks and CRE rules might impact system performance. It might be beneficial to add the new rules to the top of each test stack to allow the system to bypass the remainder of the test logic whenever an asset update matches the criteria for the new rule.

Procedure

  1. Duplicate the rule.
    1. On the Offenses tab, click Rules and select the rule that you want to copy.
    2. Click Actions > Duplicate.
      It can be helpful if the name of the new rule is indicative of the reason for duplicating it.
  2. Add a test to the rule.

    Determine a filter that you want to use to apply the rule only to a subset of system data. For example, you can add a test that matches only events from a specific log source.

  3. Tune the variables of the rule to achieve the wanted behavior.
  4. Update the original rule.
    1. Add the same test that you added to the duplicate rule to the original rule, but this time invert the rules AND and AND NOT operators.

      Inverting the operators prevents events from being triggered in both rules.