You can create rules for incidents by defining the matching
condition and corresponding actions to take when a condition is met.
To create a rule for scoring incidents:
- Select Configure > Insights > Incident Scoring Rules.
The Incident Scoring Rules page appears.
- Click the plus icon (+).
A page appears, on which you can define the rule’s condition
and actions.
- In the Rule Description field, enter a unique name for
the rule.
- In the Condition section:
Select a matching condition from the list: Match
Any or Match All.
Select the type of incident from the list: File Hash, Threat Source IP, or URL.
For the selected incident, select mitigated by another
event as the condition.
Note: To add multiple conditions, click Add.
- In the Action(s) section:
Select a required action from the list, such as Raise
or Lower Severity (%), Set Severity (value), or Skip remaining rules.
Based on the action you have selected, provide additional
data.
Note: To add multiple actions, click Add.
- Click Confirm.
A new rule is created and listed in the Incident Scoring Rules
page.
Click Enable or Disable to either enable
the incident scoring rule or disable it.