Global Policy Rules
Use global rules to automate an action to alerts of all the alert types. You cannot use global rules to perform remediation tasks, and the search criteria are less specific than when using the Threat Command Policy Rules.
You can create rules that will apply basic actions to all alerts, or to a subset of all alerts that meet defined criteria.
All rules include two sections:
- On which alerts to perform an action.
- What action to perform.
Rules will act on new alerts. After defining a new rule, you are given the option to include past alerts in the defined actions.
Create a global rule
You can create a rule that applies to all (or some) alerts.
To create a global rule:
From the Automation > Policy page, click All alert types.
Click the + sign.
Type a name for the rule.
The Alert Type tab enables you to define on which alert categories to perform an action. Only alerts in the selected type and subtype will match this rule.
Select all types or select specific alert types.
In the Types field, select the alert subcategories to match.
The Alert Profile tab enables you to further define on which alerts to perform an action.
Select alert severities that must be matched.
At least one severity must be selected.
Select other alert characteristics to match.
The Action tab defines the action to perform on alerts that match the defined criteria.
Select the actions to perform on matched alerts:
When prompted, you can include past alerts, even alerts that are closed.
When the rule is accepted, a confirmation message is displayed and the rule is shown in the Global rules list.
View current global rules
- From the Automation > Policy page, click All alert types.
- Rules that have already been defined are displayed in the Global rules list.
You can edit, duplicate, delete, and stop a rule. For more information, see Editing Policy Rules.