Similar to the other discuss thread that I just put out about field transformations, I wanted to get some community impressions for how to handle triage rule failure.
Currently, if a threat triage rule fails with an exception or returns a non-boolean, an error is thrown and no triage happens. I wanted to see what y'all think the proper behavior should be: 1. Apply no threat triage rule, log error and send message through untriaged, but with is_alert set to true 2. Skip the individual threat triage rule, log error and send the message through triaged sans broken rule(s). Thoughts? Best, Casey