Create an Event Scoring Rule
You can create rules for the log events by defining the matching condition and corresponding actions to take when a condition is met.
To create a rule for scoring log events:
- Select Configure > Insights > Event Scoring Rules.
The Event Scoring Rules page appears.
- Click the plus icon (+).
A page appears, on which you can define the rule’s condition and actions.
- In the text box that appears at the top of the page, enter a unique name for the rule.
- In the Condition section:
Select a matching condition from the list: Match Any or Match All.
Select the type of event from the list. You can select from options such as:
Endpoint User Name
Threat Source Host Name
Threat Source IP
Threat Source User Name
For the selected event, select a condition from the list.
For the selected condition, provide necessary additional data.
If you are defining more than one condition, click Add.
- In the Action(s) section:
Select a required action from the list, such as Raise or Lower Severity (by 0.25, 0.50, 0.75, or 1.0), Set Severity (value), Check feed, and Skip remaining rules.
For the selected action, assign the additional actions from the list.
If you are defining more than one action, click Add.
- Click Confirm.
A new rule is created and listed on the Event Scoring Rules page.