Overview
The rules engine is a built-in component that allows SOC analysts to define and manage detection rules: logical conditions that describe suspicious or malicious behavior you want to detect and will trigger alerts.
The platform has 3 detections engines:
Detection engine
Description
While-processing events
Generate indicators without context: with the information of a single event.
Rules engine
Process events from a single or multiple data sources to generate an alert based on a configured detection criteria
AI engine
Based on AI techniques, described in the section Predictive AI
This section describes how to use the Rules engine
Last updated