Create entity rules
To create a valid rule:
Set at least one selection criterion.
Define an action for the rule.
You can select and configure these parameters under Rule name, Criteria selection, and Actions.
Create an entity rule
Required fields are marked with an asterisk ( * ).
Name the rule
To create a new entity rule:
In the left navigation bar, go to Data configuration > Rules > Entities.
Select Create rule + in the top left.
In the Create entity rule view, under Rule name enter a short and descriptive name for the rule.
It helps understand what the rule does and what its purpose is.In the Description field enter a short description to clarify the purpose of the rule, and the type of data it applies to.
This is helpful when the amount of rules users create in the Intelligence Center grows over time. A short description provides context, and it is a reminder of the reasons why the rule is in place.If you want to enable the rule immediately after saving it, select the Enabled checkbox.
Set selection criteria for the rule
In the Criteria selection section, define the data filtering criteria for the rule.
These settings filter the objects the rule acts on.
Select at least one criterion.
You can create complex filters by combining multiple criteria.
The available Criteria selection options you that can select and configure are:
To apply the rule only to specific entity types:
Click Criteria.
From the drop-down menu select Entity types.
Click Types to select one or more entity types to apply the rule to.
The rule applies the same actions to all selected entity types.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
To apply the rule only to entities matching specific content fields and values:
Click Criteria.
From the drop-down menu select Content criteria.
JSON path (Path)/regex (Value) key/value pairs define the content criteria the rule applies.Under Path, from the drop-down menu select an option to define where in the entity data structure the rule filter should search for data matching the regex data pattern.
The available options map to corresponding JSON paths in the JSON data structure representing entities in the Intelligence Center.In the Value field, define a regex to specify the data pattern the rule should use to filter matching content.
Click Add or More to insert new rows or input fields, as necessary, where you can enter additional key/value pairs for JSON fields and corresponding content you want to add to the filter.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To apply the rule only to entities originating from a specific data source:
Click Criteria.
From the drop-down menu select Sources.
From the Source drop-down menu, select the data source for the filter.
Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups.To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To apply the rule only to entities matching a specific TLP color code:
Click Criteria.
From the drop-down menu select TLPs.
From the TLPs drop-down menu, select one or more TLP color codes to apply to the filter.
The TLP filter returns exact matches.
The Boolean operator linking multiple TLP filter selections is OR: matching entities are flagged with any of the TLP color code values selected in the filter.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
Define actions for the rule
In the Actions section, define the type of action the rule applies to entities matching the filtering criteria.
Select at least one action.
You can combine multiple actions to create a processing pipeline.
However, it is not possible to combine Merge similar with other actions.
The available Actions that you can select and configure are:
To add one or more tags to entities:
Click Actions.
From the drop-down menu select Add tags.
All entities matching all the conditions defined under Criteria selection are tagged with all selected tags.Under Tags, click Add tags to select the tags you want to automatically tag the entities with.
In the Edit tags pop-up dialog, from the drop-down menu select one or more tags to automatically assign them to the entities matching the rule filtering criteria.
You can select predefined taxonomy tags that follow the Admiralty code system or the Kill chain model, any existing free tags, as well as start typing new free tags on the fly.Use the search field to look for specific tags among the selected ones.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
Click Save to store the selection.
To edit the tag selection, click Edit tags.
To remove a selected action from the rule configuration, click the corresponding .
To add entities to one or more datasets:
Click Actions.
From the drop-down menu select Add to dataset.
All entities matching all the conditions defined under Criteria selection are added to the selected datasets.From the Datasets drop-down menu, select one or more datasets to add to them entities matching the rule criteria.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.To remove a selected action from the rule configuration, click the corresponding .
To use named capturing groups and backreferences to give entities one or more alternative title aliases:
This action is useful when the same entity has been given different titles in various incoming feeds.
Click Actions.
From the drop-down menu select Set alias.
All entities matching all the conditions defined under Criteria selection are assigned a title alias based on the specified regex data pattern, variable name, and formatting template for the title alias.In the Title parsing pattern input field enter a version of the title where (?P<name>regex) Python-syntax expressions define data patterns for matching text strings in the title.
You can reference this a named group in the alias using the corresponding variable name between chevron brackets ( < > ).In the Alias formatting template input field, enter a string to format the title alias.
Reference named group variables in the title alias template as needed.
To remove a selected action from the rule configuration, click the corresponding .
To merge similar entities to a master entity:
Click Actions.
From the drop-down menu select Merge similar.
All entities matching all the conditions defined under Criteria selection are merged to a master entity.Under Master entity, click Add to select the master entity where all similar entities should be merged to.
In the Search an entity pop-up dialog, search for an entity to use it as a master:
Click an entity on the overview list to select it as the master entity.
Enter search terms, search queries, or JSON paths in the search field .
Apply quick filters to look for specific entity types; or entities from specific incoming feeds, enrichers, or datasets; or entities ingested within a given time range.
To confirm your master entity selection, click Select.
To remove a selected action from the rule configuration, click the corresponding .
For more information on entity merge rules, see About merging entities.
Use entity merging with caution: it is not possible to undo a merge action.
All merged entities disappear: they are not indexed, and therefore they are not searchable through the GUI.
They persist in the main data storage (PostgreSQL): to search these entities, run a SQL query in PostgreSQL.
Save the rule
To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:
Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
For example, a new dataset, feed, policy, rule, task, or workspace.Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.