Can I vote for neither?  I believe that is_alert is primarily intended for
use by a SOC Analyst (assumed level 1) before it gets passed to a SOC
Investigator, Forensic Investigator, etc., and that a message which failed
a threat triage rule should instead come to the attention the SOC
Investigator role directly (although I could see an argument for address by
other roles).

I don't have a solution here, just a presentation of the problem as I see
it.  I feel like adding is_alert would add noise to the SOC Analyst's view,
but they don't necessarily have the skill set to resolve the issue.

Has there been any discussion around different types of is_alert, such as
ones only relevant to a certain role?


On Mon, Oct 17, 2016 at 12:21 PM Casey Stella <> wrote:

Similar to the other discuss thread that I just put out about field
transformations, I wanted to get some community impressions for how to
handle triage rule failure.

Currently, if a threat triage rule fails with an exception or returns a
non-boolean, an error is thrown and no triage happens.  I wanted to see
what y'all think the proper behavior should be:

   1. Apply no threat triage rule, log error and send message through
   untriaged, but with is_alert set to true
   2. Skip the individual threat triage rule, log error and send the
   message through triaged sans broken rule(s).






Reply via email to