About the Event Scoring Rules Page
To access this page, select Configure > Insights > Event Scoring Rules.
You can use the event scoring rules to customize the log event to match your security operation center (SOC) processes. Rules comprise the following elements:
Condition—The rules engine supports several match operations for different field types. For example, the matching operations include conditions such as Matches, Contains, Greater Than, and Less Than. You can combine multiple matching criteria in an ANY (OR) configuration or an ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that trigger the rule.
Action—An action is a response to an event. You can configure, increase, or lower the severity or look up a threat intelligence source.
Tasks You Can Perform
You can perform the following tasks from the Event Scoring Rules page:
Create an event scoring rule. See Create an Event Scoring Rule.
Edit and delete an event scoring rule. See Edit and Delete Event Scoring Rules.
Enable or disable an event scoring rule.
Table 1 provides guidelines on using the fields on the Event Scoring Rules page.
Table 1: Fields on the Event Scoring Rules Page
Specifies the name of the rule.
Specifies the condition applied for the rule.
Match Any/All Rules
Specifies the matching criteria set for the rule.
Specifies the action to be taken when the condition of a rule is met.
Specifies the status of the rule, whether enabled or disabled.
Click Enable or Disable to either enable the event scoring rule or disable it.