The ASE product has a number of pre-defined rules that aim to automate common tasks that a security analyst would often perform manually. The rules govern how threat objects will be shared between the core products that are licensed in your account.
The rules are centrally managed by the ASE product and require no configuration other than to enable them if required. Enabled rules can take preventative measures to stop threats from spreading by sharing the threat object detail, at machine speed, with other products that are able to use it.
To manage rules, navigate to Products, ASE and then Rules.
Rules can be set to one of the following modes of operation:
- Disabled - the rule is not active. Matching threat objects will be ignored however they will still be logged in the Threats and Analytics sections.
- Notify Only - the rule is active but will not take any action. Any configured recipients will be notified.
- Enabled - the rule is active and will share threat objects with related products as per the rule description. Additionally, any configured recipients will be notified.
To add a recipient to receive notifications for a rule:
- Click the cog (settings) icon next to the rule name to open the notifications panel
- Click the Add button
- Select the type of notification, which can be SMS or Email and then the corresponding recipient phone number (including internationally code) or email address.
- Click Update
The next time the rule is triggered the recipient(s) will receive a notification containing a link to the event report.
To edit a recipient that receives notifications for a rule double click the entry in the notifications list.
Notifications are sent in real time as soon as the rule is triggered. The notification will summarise the event and contain a link to open a more detailed Event Report. An example SMS notification is below: