Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

About the Event Scoring Rules Page

 

To access this page, select Configure > Insights > Event Scoring Rules.

You can use the event scoring rules to customize the log event to match your security operation center (SOC) processes. Rules comprise the following elements:

  • Condition—The rules engine supports several match operations for different field types. For example, the matching operations include conditions such as Matches, Contains, Greater Than, and Less Than. You can combine multiple matching criteria in an ANY (OR) configuration or an ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that trigger the rule.

  • Action—An action is a response to an event. You can configure, increase, or lower the severity or look up a threat intelligence source.

Tasks You Can Perform

You can perform the following tasks from the Event Scoring Rules page:

Field Descriptions

Table 1 provides guidelines on using the fields on the Event Scoring Rules page.

Table 1: Fields on the Event Scoring Rules Page

Field

Description

Rule Name

Specifies the name of the rule.

Rule Description

Specifies the condition applied for the rule.

Match Any/All Rules

Specifies the matching criteria set for the rule.

Actions

Specifies the action to be taken when the condition of a rule is met.

Status

Specifies the status of the rule, whether enabled or disabled.

Click Enable or Disable to either enable the event scoring rule or disable it.