Managing Findings Rules

Managing Findings Rules

Article Summary

Share feedback

Thanks for sharing your feedback!

Editing a Findings Custom Rule

You can edit the configuration of a Findings Custom rule.

To edit the rule configuration

In the Rules Manager table, click a rule.
Its Rule drawer opens.
In the Rule drawer Rule Configuration tab, update parameters or settings (refer to creating a new rule), as required. The Save Changes button becomes enabled.
Modify the external notification or Remove the external notification, if required.
Click Save Changes.

Note:

When you modify a rule's configuration, it begins triggering alerts on different assets than before.
For example, when you configure the rule with a different query.
When you pivot from an Alert drawer to the list of assets that triggered the alert, it opens the list of assets resulting from the alert based on the original rule (i.e., before the rule was modified). This is because the asset list is based on a historical snapshot of the assets at the time of the alert .

You can choose an alternate enforcement action for a different external notification or modify the configuration of the existing one.

To modify the external notification

Hover over the defined external notification, and click the Edit icon that appears (see figure below).
Modify the configuration of the external notification, by doing one of the following:
- In Select Action, choose another enforcement action and fill in the required fields.
- Modify the configuration of the current enforcement action.
Click Apply.

You can remove an external notification from a Findings Custom rule.

To remove an external notification

Hover over the defined external notification, and click the Trashcan icon that appears (see figure below). The external notification is removed.
Click Apply. The external notification is removed from the Findings Notification Enforcements folder in the Enforcement Center.

ExternalNotificationsHover

A rule runs only while it is activated. You can activate any Findings Custom rule.

To activate a rule

In the Rules Manager table, click a rule, and in the Rule drawer that opens, toggle on Activate (default).
Click Save Changes.

To deactivate a rule

In the Rules table, click a rule, and in the Rule drawer that opens, toggle off Activate.
Click Save Changes.

From the table on the Findings page, you can delete one or more Findings rules (Custom rules).

To delete Findings rules

In the Rules Manager table, hover over a row of a single rule, and then at the end of the row, click the Delete icon, or select the checkboxes of one or more rules, and then on the top right of the table, click the action.
A confirmation dialog is displayed with the message: You are about to delete an alert rule. Are you sure? (when you select a single rule to delete) or You are about to delete n alert rules. Are you sure? (when you select n rules to delete).
Click Delete to confirm deleting the rules. The rules are removed from the table, and Total decreases accordingly.

You can also delete a single Findings rule from the header of its Rule drawer.

RuleHeader

To delete a rule from its Rule drawer

In the Rules Manager table, click a rule. The Rule drawer opens.
In the Rule drawer header, click .
The system asks you to confirm your choice. Once you confirm, the rule is completely deleted from the system.

Was this article helpful?

Table of contents