Configure a Ruleset

As its name implies, a ruleset is a set of rules that tells us which events you want to be alerted on. Go to Configuration > Rulesets to tell us which events you want to be alerted on. You can monitor changes to hosts, vulnerabilities, tickets, ports and certificates.

The Manager role has all the permissions to create, edit, view, and delete the rulesets. The Reader, Unit Manager, and Remediation user roles have permission to view the rulesets.

How do I add rules?

It's easy. Choose a rule type on the left and drag it to the right, then set the rule criteria. Be as specific as you want when setting rule criteria. For example, you may want to be notified for all new vulnerabilities or only new vulnerabilities on Windows hosts with a patch available. For some rule criteria, you can choose the option "Matches RegEx" and then provide a regular expression to match. To make a regular expression match case insensitive, include (?i) at the start of the regular expression. See sample rules below.

AND is used within a rule. For example, get an alert for a vulnerability that matches: New, Reopened status AND severity 5 AND has a patch.

OR is used between multiple rules. For example, get an alert for a newly opened port OR expired certificate OR new host.

OR is used between multiple Threat Protection RTIs (when available in your subscription). For example, get an alert for a vulnerability that matches Zero Day OR Public Exploit.

Sample Rules

Check out these examples to get some ideas:

Sample 1 - PCI vulnerabilities

Sample 2 - Expired certificates

Sample 3 - Open ports on Linux hosts

Sample 4 - FTP running on non-standard port

Sample 5 - Case Insensitive RegEx Match for Operating System

Quick Links

Manage Your Rulesets | View Your Alerts | Threat Protection RTI