About the Incident Scoring Rules Page
To access this page, select Configure > Insights > Incident Scoring Rules.
Use incident scoring rules to score the risk of an incident by verifying that the indicators of compromise are already blocked from execution or mitigated by other events that contributed toward this incident. Rules comprise the following elements:
Condition—The only matching condition available for any field type is mitigated by another event.
Action—An action is a response to an incident. You can raise or lower the severity, set the severity value, or skip the remaining rules.
Tasks You Can Perform
You can perform the following tasks from the Incident Scoring Rules page:
Create an incident scoring rule. See Create an Incident Scoring Rule.
Edit and delete an incident scoring rule. See Edit and Delete Incident Scoring Rules.
Enable or disable an incident scoring rule.
Table 1 provides guidelines on using the fields on the Incident Scoring Rules page.
Table 1: Fields on the Incident Scoring Rules Page
Specifies the name of the rule.
Specifies the condition applied for the rule.
Match Any/All Rules
Specifies the match criteria set for the rule.
Specifies the action to be taken when the condition of a rule is met.
Specifies the status of the rule, whether enabled or disabled.