Set up incident scoring by enabling SmartScore and defining scoring rules.
To set up incident scoring you need to enable SmartScore, and enable and define scoring rules.
Select Settings → Configurations → Cortex XSIAM- Analytics and click Enable.
Select to Incident Response → Incident Configuration → Incident Scoring and enable SmartScore.
Note
On the first activation, it can take up to 48 hours for SmartScore to calculate and display the score.
Enabling SmartScore subsequently impacts the User Score.
Selec Incident Response → Incident Configuration → Scoring Rules and enable User Scoring Rules.
The Scoring Rules table displays the user-defined rules and sub-rules.
Click Add Scoring Rule.
In the Create New Scoring Rule dialog, define the rule criteria:
Under Rule Name, enter a unique name for your rule.
Under Score, define the score that Cortex XSIAM should apply to alerts that matching the rule criteria.
Under Base Rule, select whether to create a top-level rule (labeled Root) or a sub-rule (labeled Rule Name (ID:#)). By default, rules are defined at the root level.
Select or deselect Apply score only to first alert of incident.
By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same incident will not receive a score from this rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.
In the alert table, use the filters to define the alert attributes you want to include in the rule match criteria.
Example 21. ExampleWith this rule, Cortex XSIAM assigns a score of 30 to any XDR BIOC alerts with a severity level of Critical:
Score = 30
Base Rule = Root
Filters:
Alert Source=XDR BIOC AND Severity=Critical
Click Create.
You are automatically redirected to the Scoring Rules table.
In the Scoring Rules table, click Save to save your scoring rule.
Note
For scoped users, a small lock icon indicates that you don't have permissions to edit a rule.
What to do next
After setting up your scoring rules, you can take the following actions:
You can see details about the scoring method and the assigned score.
Select Incident Response → Incidents.
On the Incidents page, click on the menu icon to switch to the detailed view.
Click on the assigned score.
If you are not satisfied with the score, you can change the scoring method, or overwrite the score by setting the score manually. If you see a discrepancy with the assigned score, consider the following:
For rule-based scores, revise your scoring rules.
For SmartScores, help to improve the accuracy of SmartScore. Give feedback by hovering over the displayed score.
You can change the default scoring method. In addition, if Cortex XSIAM was unable to assign a score, you can set the score manually.
Select Incident Response → Incidents.
On the Incidents page, click on the menu icon to switch to the detailed view.
Click on the assigned score.
If no score was assigned, in the incident pane click the more options icon and select Manage Score.
Select a different scoring method, or click Set score manually and define a new score.
In the Scoring Rules table, take the following actions to review your rules and sub-rules:
Use the arrows to rearrange rule priorities. Make sure to click Save after any changes.
Select one or more rules and right-click to see the available actions.
Incident Scoring supports Scope-Based Access Control (SBAC). If you're a scoped user, a small lock icon indicates that you don't have permissions to edit a rule. The following parameters are considered when editing a scoring rule:
If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
To change the order of a rule, you must have permissions to the other rules of which you want to change the order.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.