Set up incident scoring - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Set up incident scoring by enabling SmartScore and defining scoring rules.

To set up incident scoring you need to enable SmartScore, and enable and define scoring rules.

  1. Select SettingsConfigurationsCortex XSIAM- Analytics and click Enable.

  2. Select to Incident ResponseIncident ConfigurationIncident Scoring and enable SmartScore.

Note

On the first activation, it can take up to 48 hours for SmartScore to calculate and display the score.

Enabling SmartScore subsequently impacts the User Score.

  1. Selec Incident ResponseIncident ConfigurationScoring Rules and enable User Scoring Rules.

    The Scoring Rules table displays the user-defined rules and sub-rules.

  2. Click Add Scoring Rule.

  3. In the Create New Scoring Rule dialog, define the rule criteria:

    1. Under Rule Name, enter a unique name for your rule.

    2. Under Score, define the score that Cortex XSIAM should apply to alerts that matching the rule criteria.

    3. Under Base Rule, select whether to create a top-level rule (labeled Root) or a sub-rule (labeled Rule Name (ID:#)). By default, rules are defined at the root level.

    4. Select or deselect Apply score only to first alert of incident.

      By selecting this option you choose to apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same incident will not receive a score from this rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.

    5. In the alert table, use the filters to define the alert attributes you want to include in the rule match criteria.

    Example 20. Example

    With this rule, Cortex XSIAM assigns a score of 30 to any XDR BIOC alerts with a severity level of Critical:

    • Score = 30

    • Base Rule = Root

    • Filters:

      Alert Source=XDR BIOC AND Severity=Critical


  4. Click Create.

    You are automatically redirected to the Scoring Rules table.

  5. In the Scoring Rules table, click Save to save your scoring rule.

    Note

    For scoped users, a small lock icon indicates that you don't have permissions to edit a rule.