Create an Incident Scoring Rule
Cortex XDR uses stitching logic to gather and assign alerts to incidents based on a set of rules which take into account different alert attributes, such SHA256 of files that are involved and IP addresses. The incidents displayed in the Incidents Table can be prioritized according to these alert attributes.
To enable you to prioritize incidents that are significant to the needs of your organization, the Incident Scoring Rules allow you to set custom rules that highlight the incidents based on:
- A user-defined score
- Selected Cortex XDR alert attributes and assets
When an alert is triggered, Cortex XDR matches the alert with each of the custom incident rules you created. If the alert matches one or more of the rules, the alert is given the score defined by each rule. An incident rule can also contain a sub-rule that allows you to create a rule hierarchy. Where a sub-rule exists, if the same alert matches one or more of the sub-rules, the alert is also given the score defined by each sub-rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
A sub-rule score is only applied to an alert if the top-level rule was a match.
Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total score. The incident score is displayed in the Incidents Table as filterable field,
Score, allowing you to prioritize the Incident Table according to the incident score. You can also view the score while investigating in the Incident View.
To create an incident scoring rule:
- In the Cortex XDR Management Console, navigate to.InvestigationIncident ManagementScoring RulesTheScoring Rulestable displays the rules and, if applicable, the sub-rules currently in your Cortex XDR tenant.
- SelectAdd Scoring Ruleto define the rule criteria.
- In theCreate New Scoring Ruledialog, define the following:
- Rule Name—Enter a unique name for your rule.
- Score—Set a numeric value that is applied to an alert matching the rule criteria.
- Base Rule—Select whether to create a top-level rule,Root, or sub-rule, listed. By default, rules are defined at root level.Rule Name (ID:#)
- Comment—Enter an optional comment.
- Mark whether toApply score only to first alert of incident—By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same incident will not receive a score from this rule again. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
- Determine which alert attribute you want to use as the rule match criteria. Use the filter at the top of the table to build your rule criteria.
- Review the rule criteria andCreatethe incident rule.You are automatically redirected to theScoring Rulestable.
- In theScoring Rulestable,Saveyour scoring rule.
- (Optional) Manage your existing incident scoring rules.In theScoring Rulestable view your existing rules and sub-rules.
Make sure toSaveyour changes.
- Use the to rearrange a rule. Make sure toSaveafter any changes you make.
- Right-click one rule or select more than one to:
- Edit rule—Edit the rule criteria for an existing rule.
- Delete rule—Remove a rule and the sub-rules from your Cortex XDR tenant.
- Disable / Enable rule—Disables or enables rule. Disabled rules appear in the table but are grayed out and you cannot perform any actions on them.
- Copy rule—Copy the rule criteria to a clipboard to create a sub-rule. Locate the rule you want add a sub-rule, right-click andPaste “.rule name”
- Add sub-rule—Add a sub-rule to an existing rule.
- (Optional) Investigate and manage incidents scoring rules from the Incident Table or View.
Recommended For You
Recommended videos not found.