Skip to content
  • There are no suggestions because the search field is empty.

Edit Application Rule

Tags: Configuration, Documentation, Version 12.2

Edit Application Rule

When you edit the application rule, follow these guidelines:

  • You can only edit the custom rules.

  • The rule name and rule value cannot be edited if the custom rule is assigned to a policy.

  • If the custom rule assigned to a policy is edited, then the customer must republish the policy for the changes to take effect in the service.

  • The rule value cannot be edited. The rule value can be same for different rule names.

  • While editing the rule name, if the name of that application rule is same as an existing rule, an error message is displayed.

  • Let’s you to tag MITRE ATT&CK Tactics for each rule.

  • Let’s you select the MITRE ATT&CK Techniques for the rule.

To edit an Application Rule

  1. Go to Configure (CONFIGURE) > Policies.
  2. In the policies panel, click Content.
  3. In the left panel, click Content Library.
  4. Select an application rule to edit.
  5. Click Edit Rule to edit the application rule.
  6. In the Edit Rule panel, do the following:
    • Enter a unique rule name. If the name of that application rule is the same as an existing rule, an error message is displayed.

    • Enter the rule value. This is the value written to the alert meta.

    • Enter the condition for the rule. You can apply two types of conditions for the rule.
      • Normal mode:
        • It gives suggestions for supported metas (ip, host and so on) and operators (“=”, “Not Equal To”, “Contains”, “Exists” and so on).
        • The entered condition will be enclosed in a ‘Pill’. When you enter multiple conditions, the conditions are automatically joined by an ‘AND’ operator. On clicking the ‘AND’ operator, you can toggle between ‘AND’ and ‘OR’ operators.
      • Advanced: You can customize the conditions as a free form text.
    • Select the medium to be applied for the rule.

    • Select the MITRE ATT&CK TACTICS for the rule. The MITRE ATT&CK Tactics are listed. You can select an appropriate MITRE ATT&CK Tactic.

      12.4_ccm_mitre_configure_apprule_edit.png

    • Select the MITRE ATT&CK TECHNIQUES for the rule. The MITRE ATT&CK Techniques are listed. You can select an appropriate MITRE ATT&CK Technique.

    • Enter the description for the rule.
    • Select the session data to be applied for the rule.
    • Select the session options to be applied for the rule.The options are listed below:

      • Flag Session with rule name in meta key: Select the meta value for the alert from the drop-down menu. This is mandatory.

      • Forward: This option enables the performance of syslog forwarding when the log matches the rule.

      • Transient: This option prevents the created alert metadata from being written to the disk.

      • Notify: This option enables you to choose the Severity levels for the application rule and utilize the option to trigger alert generation.

        • Low

        • Medium

        • High

        • Critical

      Note: Severity is selected by default as Low.

    • Click Save to save the application rule details.
    • Click Reset to reset the fields.
    • Click Cancel to cancel the operation.

                                                         Previous Page                                                      Next Page