Similar to the other discuss thread that I just put out about field
transformations, I wanted to get some community impressions for how to
handle triage rule failure.
Currently, if a threat triage rule fails with an exception or returns a
non-boolean, an error is thrown and no triage happens. I wanted to see
what y'all think the proper behavior should be:
1. Apply no threat triage rule, log error and send message through
untriaged, but with is_alert set to true
2. Skip the individual threat triage rule, log error and send the
message through triaged sans broken rule(s).