Can I vote for neither? I believe that is_alert is primarily intended for use by a SOC Analyst (assumed level 1) before it gets passed to a SOC Investigator, Forensic Investigator, etc., and that a message which failed a threat triage rule should instead come to the attention the SOC Investigator role directly (although I could see an argument for address by other roles).
I don't have a solution here, just a presentation of the problem as I see it. I feel like adding is_alert would add noise to the SOC Analyst's view, but they don't necessarily have the skill set to resolve the issue. Has there been any discussion around different types of is_alert, such as ones only relevant to a certain role? Jon On Mon, Oct 17, 2016 at 12:21 PM Casey Stella <[email protected]> wrote: Similar to the other discuss thread that I just put out about field transformations, I wanted to get some community impressions for how to handle triage rule failure. Currently, if a threat triage rule fails with an exception or returns a non-boolean, an error is thrown and no triage happens. I wanted to see what y'all think the proper behavior should be: 1. Apply no threat triage rule, log error and send message through untriaged, but with is_alert set to true 2. Skip the individual threat triage rule, log error and send the message through triaged sans broken rule(s). Thoughts? Best, Casey -- Jon
