Internal Rules
Internal rules are used by other rules to create dependencies. These rules do not add scoring points and are not displayed in the UI. They are used to identify events that have no security value (and therefore no score), but are useful to identify a situation that could be significant for another rule.
For example, the internal NEW_USER rule is used to identify a new user in the environment. It is used as a dependency for different rules that identify access to privileged machines, executive machines, etc. Together they identify a situation in which a new user is accessing a privileged machine. In order to change how a new user is identified, simply change the NEW_USER rule and the change is propagated to all the rules that depend on it.
Another use for internal rules is to set conditions that require information from more than one model. Since a single rule can be triggered by conditions in only one model, multiple internal rules can be used to set conditions in different models. They can be linked to a single score-generating rule that uses the internal rules as dependencies to provide the score if all conditions are met.