scoutTHREAT - TICE: Adding Rules with Rule Builder
Written by Benjamin Dewey
Updated over a week ago

Follow these steps:

1. In the TICE Module, navigate to Rule Manager.

2. If any rules already exist, they will load on the page.

3. Next, click on add rule.

4. New rules automatically get a checkmark to the Activate box. If you do not want the rule to apply right away, uncheck the box.

5. Give your rule a name that can identity its purpose.

6. Next, select from the Rule action drop-down if the rule is set to automatically Approve or Reject the intelligence data.

7. Next, click on Add Rule.

8. You will see two drop-down menus. When you click on the first drop-down, a list of options:


  • Source ID - This is an ID number that identifies an intelligence feed. In this example, you would add the Source ID for the AlienVault feed. Source ID numbers can be provided to you by LookingGlass.

  • Source Name- You can also add the name of the feed here if you do not have the Source ID for it.


  • Audit - Select Audit if you would like intelligence items from a specific creator (tenant).


  • Type - Choose Type to **Approve** (or **Reject**) specific object types (e.g., Threat actor, malware, campaign, etc.)

  • Name - You can also specify the intelligence item you want or do not want by its name (e.g., "EternalBlue," "WannaCry," "DigiHacks," etc.)

  • Description - If you have a short one-line description of the data item you want, choose Description.


  • Equal - Usage example: *"Name" Equals "WannaCry"* This rule will return any intelligence that has the name *WannaCry*.

  • Contains - Usage example: *"Type" Contains "Malware"* This rule will return any intelligence that contains the term *Malware*.

  • Matches - Usage example: *"Creator" Matches "65yrdh7365hsjs75djd_ueeue87"* This rule will return intelligence data from the Creator matching the UUI number.

  • Equal Ignore Case - Use this value to ignore the case of the item you want.

9. Finally, add a Description** about the rule and click Save.

Once saved, the rule will be activated and begin to sort through the intelligence data. To deactivate it, click on its name from the Rule Manager page and uncheck the Active box, then click Save Rule.

Related Content


Did this answer your question?