# Customizing Classification Rules&#x20;

Classification rules are the core engine of the platform. Every collected piece of information is classified, tagged, and enriched by the classification rules. The platform provides built-in rules as a template. The rules can be customized by cloning them. The built-in rules are read-only.

Classification rules are accessed from Rules & Policies -> Artifact Classification -> Query Based Classification. The rules can be filtered through the selector on the top-middle section of the primary grid.

The “…” button on the right “+ Rule ” button provides ease-of-use options for enabling/disabling rules, immediate execution, and import/export support.

<figure><img src="/files/a2hN6ySGCi0nZmNQRs3H" alt="" width="296"><figcaption></figcaption></figure>

A rule can be cloned by clicking the “…” button. Once cloned, the rule can be customized.

<figure><img src="/files/hVSkFnq3irfgcQpeCrzX" alt="" width="133"><figcaption></figcaption></figure>

The main properties of a rule are as follows:

<figure><img src="/files/RAKioIhxNQOoPGw666S3" alt=""><figcaption></figcaption></figure>

**Rule Type:** there are few kinds of classification rules:

**1. Classification Rule:**  This is the default rule type.

**2. Asset Categorization Rule:** This rule designed for categorising the assets.

**3. Notify on Match:**  When this rule type is selected, notifications can be executed based on a match condition.

**4. Notify on Non-Existence:**  When this rule type is selected, notifications can be executed based on a match condition.

**5. Threat Intelligence:**  This rule only trigerred based on thread intels response.

**6. Scenario Rule:**  This rule only trigerred when specidifc scenario is happened.

**Priority:** Higher values override the flags set in the previous rules.

**Origin:** It can be global or user-defined.

**Status:** It can be enabled or disabled.

<figure><img src="/files/FPwEXUr6IDUuTotBNhXO" alt=""><figcaption></figcaption></figure>

Once a rule is opened for editing, detailed options are provided for configuration:

**Artifact Type:** The type of artifact the rule will execute. The “All Artifacts” option is available for executing a rule on all artifacts.

**Rule Type:** Rule types are explained previously. When Notify on Match or Notify on Non-Existence rule type is selected, notification actions are available.

**Rule Priority:** Higher values take precedence. A priority number can be generated automatically by clicking the button to the right of the property.

**Name:** Name for the rule.

**Description:** Description of the rule.

**Recommendations:** Reccomendation for the rule execution.

**Stop Rule if Existing Risk Score is Higher:** When a rule is executed, it can be stopped if it matches an artifact with a higher risk score.

**Status:** Used for enabling or disabling a rule.

**KPI:** When enabled, the number of matches to the rule is recorded as a KPI value for historical analysis.

**Create Notable Event:** When enabled, the artifacts will be appeared under the notable events table on the portal.

**Expiry Date:** If the rule should exist for a while, users can assign expiry date.&#x20;

**Only Process Records Updated:** The rules can be set to be executed on artifacts identified at a specified time interval. For rules executing notification actions, it is recommended to select an interval. A value of the last 12 hours is recommended for notification actions.

**Check per Group of:** The field for checking the computer name and device ID.

**Match Condition**s: Any parameter of the artifact can be used to create match rules. When creating match rules, a filter is provided to display artifacts based on risk level to enable easier management. Any unclassified artifact can be added to match the configured rule and enable classification.

**Aggregate Conditions**: The options for aggregation of notifications.

**Notifications:**  Notifications can be created from these sections. <mark style="color:orange;">When Notify on Match or Notify on Non-Existence rule type is selected, notification actions are available</mark>. Notifications can be configured based on match conditions by adding notification actions.

A classification rule consists of two main parts for  selecting and updating artifact information

**Match Conditions:** The rule is triggered based on the artifact properties matched. Any property of an artifact can be used for matching.

**Set Property Values:** Once a rule matches an artifact, the artifact properties are set through set property values. Risk Score, Investigation State, Category, and “Is Malicious” are some of the properties.

<figure><img src="/files/KfxoOCr8tCQZ7nQzE7PV" alt=""><figcaption></figcaption></figure>

**Artifact Format**

Every information collected by the platform is normalized and enriched. Common attributes are also added to enable better classification, as detailed below:

**Risk Score:** A value between 0-100 can be set. Higher values indicate a bigger risk. Values between 0-33 are classified as low risk, 34-66 are classified as medium risk, and values between 67-100 are classified as high risk.

**Tags:** Tags are used to create a standard definition for collected information. It is possible to add tags as needed.

**Classification State:** The classification state tracks if a collected artifact matches a classification rule. It can have the following values:

&#x20;  \- Classified Manually

&#x20;  \- Classified by Intelligence Database

&#x20;  \- Matched a Rule

&#x20;  \- New Entry

&#x20;  \- No Matching Rule

**Classification Category:** This property can be used to categorize collected artifacts.

**Investigation State:** When set to “Investigation Request,” anonymous artifact information is shared with the threat intelligence system for investigation. It is recommended to set it to “Investigation Request” through the rules for unknown or high-risk artifacts.

**Is Malicious:** This flag is set to true for artifacts detected as malicious

<figure><img src="/files/bnFJjpAyHNHgr7kFsJgC" alt="" width="375"><figcaption></figcaption></figure>

The property values and types can be change based on the artifact properties.

{% hint style="info" %}
Hints:

·       Use the classification rules to select the artifacts permitted within the organization. Once the rules are configured, unknown artifacts will be highlighted. Built-in rules can be used to extend the trusted artifacts. Each rule type contains a rule for this purpose. The rule can be cloned and extended.

·       The system performs analysis through threat intelligence platforms to identify unknown and malicious artifacts. Built-in rules are available for automated classification based on threat intelligence.

·       Unknown files not matched by threat intelligence set a risk score of 70 for high risk. It is recommended to review artifacts having a high-risk score.

·       For Windows, Autoruns and processes match conditions based on company and signature can be used to minimize unclassified artifacts
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudcyte.com/getting-started/configuring-modules/network-security/customizing-classification-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.