Rules Engine

Custom scoring rules for evidence-based threat assessment

Rules stored in GCS•0 rules loaded•Changes persist automatically

Test Rule Match

Field Path

Test Value

Test Finding

Finding ID

Active Rules0

How Rules Work

Rules evaluate finding evidence (commands, users, hosts, etc.) against patterns to identify known benign activity like security tools, IT software, and approved operations.

When a rule matches, it can:

Mark as Benign - Reduces score multiplier significantly (e.g., 0.1x = 90% reduction)
Mark as Authorized - Identifies approved activity
Reduce Score - Subtracts points from the priority score
Multiply Score - Applies a multiplier to the score

Multiple matching rules are combined: multipliers are multiplied together (capped at 0.05 minimum), and score adjustments are summed.