Manage Incident Scoring - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-02-28
Category
Administrator Guide
Abstract

From the Cortex XDR management console, you can prioritize incidents based on the requirements of your organization by assigning score to incidents.

Cortex XDR uses stitching logic to gather and assign alerts to incidents based on a set of rules which take into account different alert attributes, such as SHA256 of files that are involved and IP addresses. The incidents displayed in the Incidents Table can be prioritized according to these alert attributes.

To enable you to prioritize incidents that are significant to the needs of your organization, you can assign one of the following scores to each incident:

  • Manual Score-User-defined score

  • Scoring Rules-Rule-based score determined by a set of alert attributes and assets you define.

    When an alert is triggered, Cortex XDR matches the alert with each of the custom incident rules you created. If the alert matches one or more of the rules, the alert is given the score defined by each rule. An incident rule can also contain a sub-rule that allows you to create a rule hierarchy. Where a sub-rule exists, if the same alert matches one or more of the sub-rules, the alert is also given the score defined by each sub-rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule. Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total score.

    Note

    A sub-rule score is only applied to an alert if the top-level rule was a match.

  • SmartScore-Automatic calculated score, based on machine learning.

    SmartScore relies on machine learning, statistical analysis, incident attributes, and cross-customer insights to identify high-risk incidents. When an alert is triggered, Cortex XDR calculates the SmartScore according to the compiled data.

    For Cortex XDR to calculate the SmartScore, you must ensure the Cortex XDR - Analytics is enabled in SettingsConfigurationsCortex XDR- Analytics.

    Note

    Enabling SmartScore subsequently impacts the User Score.

Incident Scoring supports SBAC. The following parameters are considered when editing a rule:Set up Your Environment

  • If Scoped Sever Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.

  • If Scoped Sever Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.

  • To change the order of a rule, you must have permissions to the other rule/s of which you want to change the order.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

Set Your Incident Scores

For Cortex XDR to assign the incident scores, you need to first enable the SmartScore and define your Rule Based Scores.

Incident scores are assigned according to a prioritized order where Manual Score takes precedence over Rule Based Scores and SmartScore, and Rule Based Scores over SmartScore. Dependent on sufficient data collected by Cortex XDR, incidents with no scores are assigned a SmartScore.

Enable Cortex XDR SmartScore

Navigate to Incident ResponseIncident ConfigurationIncident Scoring and enable SmartScore.

Note

On the first activation, it can take up to 48 hours for SmartScore to calculate and display the score.

Define Scoring Rules

  1. Navigate to Incident ResponseIncident ConfigurationScoring Rules.

    The Scoring Rules table displays the rules and, if applicable, the sub-rules.

  2. Select Add Scoring Rule to define the rule criteria.

  3. In the Create New Scoring Rule dialog, define the following:

    1. Rule Name—Enter a unique name for your rule.

    2. Score—Set a numeric value that is applied to an alert matching the rule criteria.

    3. Base Rule—Select whether to create a top-level rule, Root, or sub-rule, listed Rule Name (ID:#). By default, rules are defined at the root level.

    4. Comment—Enter an optional comment.

    5. Mark whether to Apply score only to first alert of incident—By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same incident will not receive a score from this rule again. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.

    6. Determine which alert attribute you want to use as the rule match criteria. Use the filter at the top of the table to build your rule criteria.

  4. Review the rule criteria and Create the incident rule.

    You are automatically redirected to the Scoring Rules table.

  5. In the Scoring Rules table, Save your scoring rule.

    Note

    If you're a scoped user, a small lock icon indicates that you don't have permissions to edit a rule.

Manage Your Incident Scores

The incident score is displayed in the Incidents view as a filterable field in the Incident table, Score, and as a score box in the Details Pane.

To easily manage your scores, you can edit and refine existing scoring rules and also update an existing incident score directly from the Incidents view.

Refine Existing Scoring Rules

In the Scoring Rules table review your existing rules and sub-rules.

  • Use the row-moving-arrows.png to rearrange a rule. Make sure to Save after any changes you make.

  • Right-click one rule or select more than one to:

    • Edit rule—Edit the rule criteria for an existing rule.

    • Delete rule—Remove a rule and the sub-rules.

    • Disable / Enable rule—Disables or enables rule. Disabled rules appear in the table but are grayed out and you cannot perform any actions on them.

    • Copy rule—Copy the rule criteria to a clipboard to create a sub-rule. Locate the rule you want to add a sub-rule, right-click and Paste “rule name.

    • Add sub-rule—Add a sub-rule to an existing rule.

Save your changes.

Update Existing Incident Score

To change an existing incident score:

  • From the Incident table- Right-click the score box and select Manage Incident Score.

  • From the Details Pane- Select the score box to open the Manage Incident Score dialog.

In the Manage Incident Score dialog, select the type of score you want to assign to the incident:

  • Rule based score-Determined according to the Scoring Rule matching the alerts trigged in the incident.

  • SmartScore-Determined according to the calculated score.

    In cases where you see a discrepancy with the assigned SmartScore you can send a numeric and textual feedback form to Cortex XDR. The feedback is sent anonymously and is used to improve the calculations.

    Note

    Ensure you are not including any PII data in the feedback form.

  • Manual Score-A user-defined score that overrides the rule base and SmartScore scores.