Create an Event Scoring Rule
You can create rules for the log events by defining the matching condition and corresponding actions to take when a condition is met.
To create a rule for scoring log events:
- Select Configure > Insights > Event Scoring Rules.
The Event Scoring Rules page appears.
- Click the plus icon (+).
A page appears, on which you can define the rule’s condition and actions.
- In the text box that appears at the top of the page, enter a unique name for the rule.
- In the Condition section:
Select a matching condition from the list: Match Any or Match All.
Select the type of event from the list. You can select from options such as:
Detection Method
Endpoint IP
Endpoint User Name
Event Name
Event Severity
File Hash
File Name
File Path
HTTP Content-Type
HTTP Referer
HTTP Status
Log Severity
Progression
Signature ID
Threat Source Host Name
Threat Source IP
Threat Source User Name
URL
URL Hostname
URL Path
URL Query
URL Scheme
Vendor Response
For the selected event, select a condition from the list.
For the selected condition, provide necessary additional data.
If you are defining more than one condition, click Add.
- In the Action(s) section:
Select a required action from the list, such as Raise or Lower Severity (by 0.25, 0.50, 0.75, or 1.0), Set Severity (value), Check feed, and Skip remaining rules.
For the selected action, assign the additional actions from the list.
If you are defining more than one action, click Add.
- Click Confirm.
A new rule is created and listed on the Event Scoring Rules page.