Similar to the other discuss thread that I just put out about field
transformations, I wanted to get some community impressions for how to
handle triage rule failure.

Currently, if a threat triage rule fails with an exception or returns a
non-boolean, an error is thrown and no triage happens.  I wanted to see
what y'all think the proper behavior should be:

   1. Apply no threat triage rule, log error and send message through
   untriaged, but with is_alert set to true
   2. Skip the individual threat triage rule, log error and send the
   message through triaged sans broken rule(s).




Reply via email to