Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Create an Event Scoring Rule

 

You can create rules for the log events by defining the matching condition and corresponding actions to take when a condition is met.

To create a rule for scoring log events:

  1. Select Configure > Insights > Event Scoring Rules.

    The Event Scoring Rules page appears.

  2. Click the plus icon (+).

    A page appears, on which you can define the rule’s condition and actions.

  3. In the text box that appears at the top of the page, enter a unique name for the rule.
  4. In the Condition section:
    • Select a matching condition from the list: Match Any or Match All.

    • Select the type of event from the list. You can select from options such as:

      • Detection Method

      • Endpoint IP

      • Endpoint User Name

      • Event Name

      • Event Severity

      • File Hash

      • File Name

      • File Path

      • HTTP Content-Type

      • HTTP Referer

      • HTTP Status

      • Log Severity

      • Progression

      • Signature ID

      • Threat Source Host Name

      • Threat Source IP

      • Threat Source User Name

      • URL

      • URL Hostname

      • URL Path

      • URL Query

      • URL Scheme

      • Vendor Response

    • For the selected event, select a condition from the list.

    • For the selected condition, provide necessary additional data.

    • If you are defining more than one condition, click Add.

  5. In the Action(s) section:
    1. Select a required action from the list, such as Raise or Lower Severity (by 0.25, 0.50, 0.75, or 1.0), Set Severity (value), Check feed, and Skip remaining rules.

    2. For the selected action, assign the additional actions from the list.

    3. If you are defining more than one action, click Add.

  6. Click Confirm.

    A new rule is created and listed on the Event Scoring Rules page.