LookingGlass Cyber

1. In the TICE Module, navigate to Rule Manager.

2. If any rules already exist, they will load on the page.

4. New rules automatically get a checkmark to the Activate box. If you do not want the rule to apply right away, uncheck the box.

5. Give your rule a name that can identity its purpose.

6. Next, select from the Rule action drop-down if the rule is set to automatically Approve or Reject the intelligence data.

8. You will see two drop-down menus. When you click on the first drop-down, a list of options: 

Source ID - This is an ID number that identifies an intelligence feed. In this example, you would add the Source ID for the AlienVault feed. Source ID numbers can be provided to you by LookingGlass.

Source Name- You can also add the name of the feed here if you do not have the Source ID for it.

- Source ID - This is an ID number that identifies an intelligence feed. In this example, you would add the Source ID for the AlienVault feed. Source ID numbers can be provided to you by LookingGlass.
- Source Name- You can also add the name of the feed here if you do not have the Source ID for it.

Audit - Select Audit if you would like intelligence items from a specific creator (tenant).

- Audit - Select Audit if you would like intelligence items from a specific creator (tenant).

Type - Choose Type to **Approve** (or **Reject**) specific object types (e.g., Threat actor, malware, campaign, etc.)

Name - You can also specify the intelligence item you want or do not want by its name (e.g., "EternalBlue," "WannaCry," "DigiHacks," etc.)

Description - If you have a short one-line description of the data item you want, choose Description.

- Type - Choose Type to **Approve** (or **Reject**) specific object types (e.g., Threat actor, malware, campaign, etc.)
- Name - You can also specify the intelligence item you want or do not want by its name (e.g., "EternalBlue," "WannaCry," "DigiHacks," etc.)
- Description - If you have a short one-line description of the data item you want, choose Description.

Equal - Usage example: *"Name" Equals "WannaCry"* This rule will return any intelligence that has the name *WannaCry*.

Contains - Usage example: *"Type" Contains "Malware"* This rule will return any intelligence that contains the term *Malware*.

Matches - Usage example: *"Creator" Matches "65yrdh7365hsjs75djd_ueeue87"* This rule will return intelligence data from the Creator matching the UUI number.

Equal Ignore Case - Use this value to ignore the case of the item you want.

- Equal - Usage example: *"Name" Equals "WannaCry"* This rule will return any intelligence that has the name *WannaCry*.
- Contains - Usage example: *"Type" Contains "Malware"* This rule will return any intelligence that contains the term *Malware*.
- Matches - Usage example: *"Creator" Matches "65yrdh7365hsjs75djd_ueeue87"* This rule will return intelligence data from the Creator matching the UUI number.
- Equal Ignore Case - Use this value to ignore the case of the item you want.

9. Finally, add a Description** about the rule and click Save.

Once saved, the rule will be activated and begin to sort through the intelligence data. To deactivate it, click on its name from the Rule Manager page and uncheck the Active box, then click Save Rule.

___________________________________________________________

<a href="https://support.lookingglasscyber.com/en/articles/6177484-scoutthreat-tice-overview" target="_blank">The Threat Intelligence Collaboration Environment (TICE)</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177490-scoutthreat-tice-login" target="_blank">TICE Login</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177495-scoutthreat-the-tice-homepage" target="_blank">The TICE Homepage</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177499-scoutthreat-the-tice-module-validation-process" target="_blank">The TICE Module Validation Process</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177501-scoutthreat-tice-workflow-example" target="_blank">TICE Workflow Example</a>

- <a href="https://support.lookingglasscyber.com/en/articles/6177512-scoutthreat-updating-scoutthreat-objects-with-new-tice-information" target="_blank">Updating scoutTHREAT Objects with New TICE Information</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177517-scoutthreat-validating-and-adding-new-tice-intelligence-to-scoutthreat" target="_blank">Validating and Adding New TICE Intelligence to scoutTHREAT</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177529-scoutthreat-sharing-to-tice" target="_blank">Sharing to TICE</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177540-scoutthreat-steps-for-sharing-intelligence-to-tice" target="_blank">Steps for Sharing Intelligence to TICE</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177545-scoutthreat-the-tice-rule-manager" target="_blank">The TICE Rule Manager</a>

- <a href="https://support.lookingglasscyber.com/en/articles/6177560-scoutthreat-tice-adding-rules-manually" target="_blank">Adding Rules Manually</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177563-scoutthreat-tice-jxel-for-creating-rule-conditions" target="_blank">JXEL for Creating Rule Conditions</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177571-scoutthreat-tice-metrics-and-audits" target="_blank">Metrics and Audits</a>

- <a href="https://support.lookingglasscyber.com/en/articles/6177484-scoutthreat-tice-overview" target="_blank">The Threat Intelligence Collaboration Environment (TICE)</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177490-scoutthreat-tice-login" target="_blank">TICE Login</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177495-scoutthreat-the-tice-homepage" target="_blank">The TICE Homepage</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177499-scoutthreat-the-tice-module-validation-process" target="_blank">The TICE Module Validation Process</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177501-scoutthreat-tice-workflow-example" target="_blank">TICE Workflow Example</a>
- Validating Intelligence Items
 - <a href="https://support.lookingglasscyber.com/en/articles/6177512-scoutthreat-updating-scoutthreat-objects-with-new-tice-information" target="_blank">Updating scoutTHREAT Objects with New TICE Information</a>
 - <a href="https://support.lookingglasscyber.com/en/articles/6177517-scoutthreat-validating-and-adding-new-tice-intelligence-to-scoutthreat" target="_blank">Validating and Adding New TICE Intelligence to scoutTHREAT</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177529-scoutthreat-sharing-to-tice" target="_blank">Sharing to TICE</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177540-scoutthreat-steps-for-sharing-intelligence-to-tice" target="_blank">Steps for Sharing Intelligence to TICE</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177545-scoutthreat-the-tice-rule-manager" target="_blank">The TICE Rule Manager</a>
 - <a href="https://support.lookingglasscyber.com/en/articles/6177560-scoutthreat-tice-adding-rules-manually" target="_blank">Adding Rules Manually</a>
 - <a href="https://support.lookingglasscyber.com/en/articles/6177563-scoutthreat-tice-jxel-for-creating-rule-conditions" target="_blank">JXEL for Creating Rule Conditions</a>
- <a href="https://support.lookingglasscyber.com/en/articles/6177571-scoutthreat-tice-metrics-and-audits" target="_blank">Metrics and Audits</a>

<a href="https://support.lookingglasscyber.com/en/articles/6177471-scoutthreat-user-documentation-table-of-contents" target="_blank">scoutTHREAT User Documentation Table of Contents</a>