Incident scoring - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about the different incident scoring methods.

An incident score is a numeric value that indicates the urgency of an incident. Incident scoring can help you to streamline the process of prioritizing and investigating your incidents, by identifying incidents that require immediate attention.

Types of scoring

Cortex XSIAM uses the following scoring methods:

  • Rule-based scoring: The score is determined by user-defined scoring rules that match the alerts triggered in the incident.

  • SmartScore: The score is automatically calculated, based on machine learning.

    SmartScore relies on machine learning, statistical analysis, incident attributes, and cross-customer insights to identify high-risk incidents. When an alert is triggered, Cortex XSIAM calculates the SmartScore according to the compiled data.

  • Manual scoring: The score is defined by the user.

How Cortex XSIAM assigns the score

For Cortex XSIAM to automatically assign a score to an incident, you must enable SmartScore and define scoring rules. For more information, see Set up incident scoring.

To enable Cortex XSIAM to provide effective rule-based scores, you must define accurate scoring rules that are suitable for your environment and workflows. In addition, SmartScore requires sufficient data to calculate and display the score. On first activation, this can take up to 48 hours. If sufficient data is not available, no score is assigned.

When an incident is created, Cortex XSIAM searches for a match between your scoring rules and the alerts in an incident. If a match is found, a rule based score is assigned. If no match is found and there is sufficient data available, Cortex XSIAM assigns a SmartScore. If Cortex XSIAM doesn't have sufficient data to assign a score, you can manually assign a score.

You can see the assigned incident score on the Incidents page, under Incident ResponseIncidents.