Learn about the different incident scoring methods.
An incident score is a numeric value that indicates the urgency of an incident. Incident scoring can help you to streamline the process of prioritizing and investigating your incidents, and help you to identify the incidents that require immediate attention.
Types of scoring
Cortex XSIAM uses the following scoring methods:
Rule-based scoring: The score is determined by user-defined scoring rules that match the alerts triggered in the incident.
SmartScore: The score is automatically calculated, based on machine learning.
SmartScore relies on machine learning, statistical analysis, incident attributes, and cross-customer insights to identify high-risk incidents. When an alert is triggered, Cortex XSIAM calculates the SmartScore according to the compiled data.
Manual scoring: The score is defined by the user.
How Cortex XSIAM assigns the score
For Cortex XSIAM to provide effective rule-based scores, you must define accurate scoring rules that are suitable for your environment and workflows. In addition, SmartScore requires sufficient data to calculate and display the score. On first activation, this can take up to 48 hours. If sufficient data is not available, no score is assigned.
When an incident is created, Cortex XSIAM searches for a match between your scoring rules and the alerts in an incident. If a match is found, a rule based score is assigned. If no match is found and there is sufficient data available, Cortex XSIAM assigns a SmartScore. If Cortex XSIAM doesn't have sufficient data to assign a score, you can manually assign a score.
To enable Cortex XSIAM to automatically assign a score to an incident, you must enable SmartScore and define scoring rules. For more information, see Set up incident scoring.
You can see the assigned incident score on the Incidents page, under
→ .