Examples of conditions for team-based queues
Use the following information to help create conditions when setting up a team-based queue.
Examples
| Queue | Conditions |
|---|---|
| High Severity Malware | Field: severity
Comparison: is Value: high
Comparison: is Value: malware |
| Suspicious Executables |
Field: file_name Comparison: ends with Value: .exe
Field: file_path Comparison: starts with Value: /tmp/ |
| Command Injection | Field: process
Comparison: contains Value: powershell
Field: signature Comparison: contains Value: SQL Injection |
| High Priority Alerts | Field: severity
Comparison: is Value: critical
Field: risk_score Comparison: greater than Value: 90 |
| Privileged Accounts | Field: user
Comparison: starts with Value: admin
Field: user Comparison: starts with Value: root
Field: user Comparison: is Value: system |
Fields not to include in conditions
Conditions can only reference fields that are available at run time. You can't use the following fields when creating conditions:
- 'urgency'
- 'disposition_label'
- 'status'
- 'owner_realname'
- 'sensitivity'
- 'annotations._all'
- 'annotations._frameworks'
- 'display_id'
- 'ai_suggested_disposition_name'
- 'count_findings'
- 'related_investigations'
- 'risk_event_count'