Skip to content

Managing Rules

There are essentially two parts for an Analysis with THREATGET. The first part contains the creation of a System Model inside the Enterprise Architect Plugin. The second part deals with the creation and maintenance of the Rule Database. The following section shows how you can manage and create rules. You can only change or delete the rules you have created yourself. The rules provided by the AIT cannot be edited.

Create a New Rule

To create a new Rule, you first have to switch to the correct overview. Do so by clicking on Rules in the navigation bar.

All previously created rules are listed in this list. Each rule has the following attributes: Title, Tags, Namespace, Threat Type, Owner, Activated, and Warning. The checkboxes for activation are used to activate rules that are required throughout the threat analysis process. As a result, you can quickly uncheck the checkbox in the Activated column to ignore the rule(s) in the analysis.

If you hover over one of your own rules, a X button appears to delete it. To view or edit rules, simply click on the row of the desired one. AIT Rules can only be viewed.

To create a new rule please click on the + button on the right upper corner.

Rule Details

This opens the Rule Editor window, which includes two primary tabs. Title, Description, Tags, Threat Type, Likelihood, and Impact are all provided in the first tap Definition.

The ThreatType follows the STRIDE standard. STRIDE is a model of threats developed for identifying computer security threats.

STRIDE:

* Spoofing
* Tampering
* Repudiation
* Information disclosure
* Denial of Service
* Elevation of Privilege
* UNECE

Please click on the Threat Type button and select, in this case, Elevation of Privilege in the appearing Dropdown menu cause we want to check if we provide some Authorization as we described inside the description. ThreatGet estimates the risk severity of this threat; by utilizing the parameter values of the impact and likelihood.

The Likelihood in TheatGet has four levels:

* VERY LOW
* LOW
* MEDIUM
* HIGH

The Impact in ThreatGet has four levels:

* NEGLIGIBLE
* MODERATE
* MAJOR 
* SEVERE

In our example, we suggest selecting a MEDIUM value for the likelihood and MODERATE value for impact. You can also add Tags to your Rule. These tags are different from the Tagged Values. The purpose of the THREATGET Tags is to group Rules into categories. To add a Tag to a Rule please click on the selectable Tags. To learn how to create new THREATGET Tags please see the documentation for tag creation.

Then press Next to proceeds into the following step, which is writing the rule text.

Rule Text

The second tap Anti-Pattern is used to write the main rule text. In our example, we will check the Authorization tagged value of the Top New Element.

ELEMENT : "Top New Element" {
    "Authorization" != "Yes"
}

To learn how the Syntax of rules works please see the documentation for rule creation. If you have filled out everything you can click on the Check button at the buttom of the screen.

The application now checks in the background whether your entered rule is syntactically correct. As you can see, the Check button got replaced with a Save button. This means that the rule was syntactically correct and can now be saved. The saved rule is saved in the rule database and is listed with the other previously saved rules.

If you hover over the rule, you can see a X button. By clicking on the row of the rule in the table, you can EDIT this rule. By clicking the X button, you can DELETE this rule. You can see the added THREATGET Tags next to the name of the Rule. You are also able to search for rules with certain tags inside the Search Bar above.

However, if the rule text has an error, say the user defines a name of a non-existing element, a table with the error type and more information appears on the screen.

ELEMENT : "New Element" {
    "Authorization" != "Yes"
}

As you can see, the Type "New Element" does not exist is now displayed. Also, if you press the Eye button next to the error message, the error will be highlighted in red to focus on the existing error.