Event Scoring Rules Overview
You can use the event scoring rules to customize the log event to match your security operation center (SOC) processes. Rules comprise the following elements:
Condition—The rules engine supports several match operations for different field types. For example, the matching operations include conditions such as Matches, Contains, Greater Than, and Less Than. You can combine multiple matching criteria in an ANY (OR) configuration or an ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that trigger the rule.
Action—An action is a response to an event. You can configure, increase, or lower the severity or look up a threat intelligence source.
To access this page, select Juniper Security Director Cloud > Shared Services > Insights > <Rules> Event Scoring Rules.
Field Descriptions
Field |
Description |
---|---|
Rule Name |
Specifies the name of the rule. |
Rule Description |
Specifies the condition applied for the rule. |
Match Any/All Rules |
Specifies the matching criteria set for the rule. |
Actions |
Specifies the action to be taken when the condition of a rule is met. |
Status |
Specifies the status of the rule, whether enabled or disabled. |
Enable or Disable |
Click to enable or disable an event scoring rule. |