Create custom risk-scoring rules or manually assign risk scores to prioritize incidents based on your organization's unique requirements.
In Cortex Xpanse Expander you can prioritize incidents and quantify your organization's relative risk using Risk Scoring. By default, Expander assigns a risk score to every incident. Expander calculates the risk score using threat and exploit intelligence relevant to the CVEs on the related service or website (based on active classifications or web technologies) for an incident. When the alerts change (for example, if an alert is resolved or a new alert is created) or if the underlying risks change, Expander recalculates and updates the risk score.
In addition to the base risk score that Xpanse assigns to each incident, you can create custom risk-scoring rules or manually assign a risk score. These flexible approaches to risk scores enable you to prioritize incidents based on the specific requirements of your organization. You can choose to use one or more of the following incident risk-scoring methods as needed:
Xpanse Risk Score—Default risk score assigned by Expander and calculated using threat and exploit data relevant to the inferred CVEs on the incident. Xpanse Risk Scoring is enabled by default. Expander updates Xpanse Risk Scores automatically when there are changes to the underlying alerts or risks for an incident. See Risk Scoring for more information about the Xpanse Risk Score and risk scoring overall.
User Scoring Rules—User-defined scoring rules that enable you to customize risk scoring to meet your specific business requirements.
When an alert is triggered, Expander compares the alert with each of the User Scoring Rules you created. If the alert matches one or more of the rules, the alert score is adjusted by adding or subtracting from the Xpanse Risk Score. Within each incident, Expander aggregates these alert scores and assigns the incident a total score.
For example, you could have a User Scoring Rule that adds 10 points to the Risk Score if an alert is high severity or is an RDP Server exposure.
If Xpanse Risk Scoring is enabled, the User Scoring Rules add or subtract points from the Xpanse Risk Score for the incident. If Xpanse Risk Scoring is not enabled, the User Scoring Rules add or subtract points from a base score of zero.
Manual Score—User-defined score assigned to a specific incident. A manual score overrides the Xpanse Risk Score and user-defined scoring rules. When a manual score has been assigned, the risk score for the incident will not update when the underlying alerts or risks have changed.
The risk score is displayed on the Incidents page in the Incidents list and in the incident details pane. By default, the incident list is sorted by risk score, and incidents can also be filtered on risk scores. See Risk Scoring to learn more about the risk scoring information that Expander provides for every incident.
 |
Enable Xpanse Risk Scoring
Xpanse Risk Scoring is enabled by default, but you can disable and reenable it as needed. If Xpanse Risk Scoring is not enabled, Expander will not automatically assign incidents risk scores.
Navigate to →
Enable or disable Xpanse Risk Score (Automatic Score) using the toggle.
When it is first enabled, it can take up to 48 hours for Cortex Xpanse to calculate and display risk scores.
Incident risk scores are assigned according to a prioritized order where a Manual Score takes precedence over User Scoring Rules and the Xpanse Risk Score, and User Scoring Rules take precedence over the Xpanse Risk Score. See Risk Scoring for more information about how the default score is calculated.
Define User Scoring Rules
User Scoring Rules enable you to customize risk scoring to meet your specific business requirements.
Using the steps below, define scoring rules that determine how a specific set of alerts should be scored. When an alert is triggered, Expander will compare the alert with each of the User Scoring Rules you created. If the alert matches one or more of the rules, the alert is given the score defined by each rule. Within each incident, Expander aggregates these alert scores and assigns the incident an overall score.
If Xpanse Risk Scoring is enabled, the User Scoring Rules add to or subtract points from the Xpanse Risk Score. For example, if you have a user scoring rule that adds 10 points if an alert is high severity, the Xpanse Risk Score for an incident will be increased by 10 points if it has a high severity alert.
If Xpanse Risk Scoring is not enabled, but User Scoring Rules are defined and enabled, the User Scoring Rule will add or subtract points from a base score of zero.
When a scoring rule is created or changed, the risk score for existing active incidents will be recalculated. The updated score will appear in Expander within a few hours.
Navigate to → , and use the toggle to make sure User Scoring Rules are enabled.
The Scoring Rules table displays the rules and, if applicable, the sub-rules.
Select + Add Scoring Rule to define a new rule.
In the Create New Scoring Rule dialog box, define the following:
Rule Name—Enter a unique name for your rule.
Score—Set a numeric value that will be applied to alerts that match the rule criteria. You can add a positive value that will increase the risk score or a negative value to reduce the risk score.
Base Rule—Select whether to create a top-level rule, Root, or a sub-rule, which is listed in the dropdown menu as Rule Name (ID:#). By default, rules are defined at the root level.
Comment—Enter an optional comment.
Mark whether to Apply score only to first alert of incident—By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts in the same incident will not receive a score from this rule again. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
Define the alert attribute you want to use as the rule match criteria. Use the filter at the top of the table to build your rule criteria.
Review the rule criteria and Create the incident rule.
You are automatically redirected to the User Scoring Rules table.
In the User Scoring Rules table, Save your scoring rule.
Manage Existing User Scoring Rules
The following steps describe how to edit, disable, and perform other actions on User Scoring Rules.
Navigate to → .
In the User Scoring Rules table, review your existing rules and sub-rules.
Use the
to rearrange rules as needed. Be sure to Save after any changes you make.Right-click one rule or select more than one to perform the following actions:
Edit rule—Edit the rule criteria for an existing rule.
Delete rule—Remove a rule and the sub-rules.
Disable / Enable rule—Disables or enables the rule. Disabled rules appear in the table but are grayed out, and you cannot perform any actions on them.
Copy rule—Copy the rule criteria to a clipboard to create a sub-rule. Locate the rule you want to add a sub-rule, right-click and Paste “rule name”.
Add sub-rule—Add a sub-rule to an existing rule.
Save your changes.
Manually Assign a Risk Score to an Incident
A risk score that has been manually assigned to an incident takes precedence over the autogenerated Cortex Xpanse Score and User Defined Rules.
Navigate to →
Right click an incident in the incident list, or
Click the Risk Score in the Incident Details pane on the right.
The Manage Incident Score dialog box opens.
Select Set score manually, and enter a numerical value for the score.
Apply the incident score.
A manually-assigned risk score will not change when the underlying alerts or risks change.