Configure a Threat Rule

Follow these steps to configure a Threat Rule:

1. Navigate to Configuration | Identify | Threat Rules.

2. Click + Add Rule.

3. For Name, enter a descriptive name for your new rule.

4. If you want the threat rule to show in reports, select the Show in Reports checkmark.

5. If you want the threat rule to count towards the overall Identity Posture Threat Score, select the Show in Impact Posture checkmark.

6. From the optional Aggregation Type drop-down, select maximum or weighted.

7. For Score, enter an impact number.

8. For Cyber Framework, specify the specific framework applying to this rule, for example, NIST CSF v2.0.

9. For Framework Control, enter the control name, for example, for NIST CSF v2.O, it could be PR.AA-03.

   NOTE

   Multiple framework references can be added for a given risk factor.

10. Click Add.

You may also edit an existing custom Threat Rule via the edit button. Default Threat Rules can't be edited.

Use the Rule Matches button to retrieve all accounts that match the specific rule. Rule matching is not available for aggregation rules.

Threat Rule Actions

Refer to the Integrate section to learn about actions based on threat rules.

NOTE

To activate the workflow and threat rule association, enable the Allow Workflow Trigger checkbox on the add/edit Threat Detection Rule modal.