Create an Incident Scoring Rule

Cortex XDR uses stitching logic to gather and assign alerts to incidents based on a set of rules which take into account different alert attributes, such SHA256 of files that are involved and IP addresses. The incidents displayed in the Incidents Table can be prioritized according to these alert attributes.
To enable you to prioritize incidents that are significant to the needs of your organization, the Incident Scoring Rules allow you to set custom rules that highlight the incidents based on:
  • A user-defined score
  • Selected Cortex XDR alert attributes and assets
When an alert is triggered, Cortex XDR matches the alert with each of the custom incident rules you created. If the alert matches one or more of the rules, the alert is given the score defined by each rule. An incident rule can also contain a sub-rule that allows you to create a rule hierarchy. Where a sub-rule exists, if the same alert matches one or more of the sub-rules, the alert is also given the score defined by each sub-rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
A sub-rule score is only applied to an alert if the top-level rule was a match.
Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total score. The incident score is displayed in the Incidents Table as filterable field,
Score
, allowing you to prioritize the Incident Table according to the incident score. You can also view the score while investigating in the Incident View.
To create an incident scoring rule:
  1. In the Cortex XDR Management Console, navigate to
    Investigation
    Incident Management
    Scoring Rules
    .
    The
    Scoring Rules
    table displays the rules and, if applicable, the sub-rules currently in your Cortex XDR tenant.
    scoring-rules-table.png
  2. Select
    Add Scoring Rule
    to define the rule criteria.
  3. In the
    Create New Scoring Rule
    dialog, define the following:
    create-scoring-rule.png
    1. Rule Name
      —Enter a unique name for your rule.
    2. Score
      —Set a numeric value that is applied to an alert matching the rule criteria.
    3. Base Rule
      —Select whether to create a top-level rule,
      Root
      , or sub-rule, listed
      Rule Name (ID:#)
      . By default, rules are defined at root level.
    4. Comment
      —Enter an optional comment.
    5. Mark whether to
      Apply score only to first alert of incident
      —By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same incident will not receive a score from this rule again. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
    6. Determine which alert attribute you want to use as the rule match criteria. Use the filter at the top of the table to build your rule criteria.
  4. Review the rule criteria and
    Create
    the incident rule.
    You are automatically redirected to the
    Scoring Rules
    table.
  5. In the
    Scoring Rules
    table,
    Save
    your scoring rule.
  6. (
    Optional
    ) Manage your existing incident scoring rules.
    In the
    Scoring Rules
    table view your existing rules and sub-rules.
    • Use the row-moving-arrows.png to rearrange a rule. Make sure to
      Save
      after any changes you make.
    • Right-click one rule or select more than one to:
      • Edit rule
        —Edit the rule criteria for an existing rule.
      • Delete rule
        —Remove a rule and the sub-rules from your Cortex XDR tenant.
      • Disable / Enable rule
        —Disables or enables rule. Disabled rules appear in the table but are grayed out and you cannot perform any actions on them.
      • Copy rule
        —Copy the rule criteria to a clipboard to create a sub-rule. Locate the rule you want add a sub-rule, right-click and
        Paste “
        rule name
        .
      • Add sub-rule
        —Add a sub-rule to an existing rule.
    Make sure to
    Save
    your changes.
  7. (
    Optional
    ) Investigate and manage incidents scoring rules from the Incident Table or View.

Recommended For You