Updating a Ruleset

You can update a ruleset in the Threat Stack Cloud Security PlatformⓇ (CSP). Locate the rule by either navigating to the Rules tab or the Alerts tab.

Note

If you are looking to create a ruleset, please review the Rule Creation Overview article.

Updating the Base Rule Set

You can rename the Base Rule Set in the Threat Stack CSP.

  1. Navigate to the Rules tab and select the Base Rule Set.


    Select_base_ruleset.png

  2. In the right view pane, the Details screen displays. You can update the following:
    1. The ruleset name
    2. The ruleset description

    Base_ruleset_details.png

  3. After making your updates, click the Update Ruleset button to register your changes.


    Updating_base_ruleset.png

The ruleset is updated and your changes are displayed in the Rules tab.

Updated_base_ruleset.png

Important

Clicking the Delete Ruleset link will permanently remove the updated ruleset from your organization. This ruleset will no longer be available to servers previously assigned to it.

  • We do not recommend deleting the Base Rule Set if it is the only ruleset assigned to your organization.
  • If you unintentionally delete the Base Rule Set or require assistance with re-tuning your ruleset, we recommend contacting support at support@threatstack.com.
Updating a Rule Through the Rules Tab
  1. Navigate to the Rules tab and select the rule you would like to update.


    1.png

  2. In the right view pane, the Details screen displays. You can update the following:
    1. The rule name
    2. The alert title
    3. The alert description
    4. The aggregate fields
    5. The frequency of triggering an alert

    2.png

  3. Click the Update Rule button to register your changes.


    3.png

  4. Click the Filter link to display the rule filter settings. You can also update your deployment and suppression settings.


    4.png

  5. To add a new suppression, click the New Suppression button. For additional information, please review the How do I Suppress an Alert? article.


    5.png

  6. After making your selections, click the Add New Suppression button to register your changes.


    Add_new_suppression.png

The ruleset is updated and your changes are displayed in the Rules tab.

6.png

Updating a Rule Through the Alerts Tab
  1. Navigate to the Alerts tab. Locate the alert associated with the rule you would like to update.

    Note

    In this example, the "User activity (Logins)" alert was selected.

    Sev3_alert_details.png

  2. Click the View/Edit Rule link.


    8.png

  3. The Edit Rule dialog displays. Within the Details pane, you can update the following:
    1. The severity of the alert
    2. The rule name
    3. The alert title
    4. The alert description
    5. The aggregate fields
    6. The frequency of triggering an alert

    Note

    In this example, a host rule is being updated.


    9.png

  4. You can also update other settings for deployment, rule filter and suppression by clicking their respective tabs.


    10.png

  5. To add a new suppression, select the Suppressions tab and click the New Suppression button. For additional information, please review the How do I Suppress an Alert? article.


    11.png

  6. After making your selections, click the Add New Suppression button to register your changes.


    Add_new_suppression.png

The ruleset is updated and your changes are displayed in the Threat Stack CSP.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request