Global Policy Rules

Use global rules to automate an action to alerts of all the alert types. You cannot use global rules to perform remediation tasks, and the search criteria are less specific than when using the Threat Command Policy Rules.

You can create rules that will apply basic actions to all alerts, or to a subset of all alerts that meet defined criteria.

All rules include two sections:

  • On which alerts to perform an action.
  • What action to perform.

Rules will act on new alerts. After defining a new rule, you are given the option to include past alerts in the defined actions.

Create a global rule

You can create a rule that applies to all (or some) alerts.

To create a global rule:

  1. From the Automation > Policy  page, click All alert types.

  2. Click the + sign.

  3. Type a name for the rule.
    The Alert Type  tab enables you to define on which alert categories to perform an action. Only alerts in the selected type and subtype will match this rule.

  4. Select all types or select specific alert types.

  5. In the Types  field, select the alert subcategories to match.

  6. Click Next.
    The Alert Profile  tab enables you to further define on which alerts to perform an action.

  7. Select alert severities that must be matched.
    At least one severity must be selected.

  8. Select other alert characteristics to match.

  9. Click Next.
    The Action tab defines the action to perform on alerts that match the defined criteria.

  10. Select the actions to perform on matched alerts:

  11. Click Finish.

  12. When prompted, you can include past alerts, even alerts that are closed.
    When the rule is accepted, a confirmation message is displayed and the rule is shown in the Global rules list.

View current global rules

  • From the Automation > Policy  page, click All alert types.
  • Rules that have already been defined are displayed in the Global rules list.

You can edit, duplicate, delete, and stop a rule. For more information, see Editing Policy Rules.