You can triage and rank threats by severity using the Management module.
Ensure that the enrichment is working properly.
-
On the sensor panel, in the Threat Triage field, click
.
- To add a rule, click +.
- Assign a name to the new rule in the NAME field.
- In the Text field, enter the syntax for the new rule:
- Use the SCORE ADJUSTMENT slider to choose the threat score for the
rule.
- Click SAVE.
The new rule is listed in the Threat Triage Rules panel.
- Choose how you want to aggregate your rules by choosing a value from the Aggregator menu.
You can choose among the following:
- MAX
-
The maximum of all of the associated values for matching queries.
- MIN
-
The minimum of all of the associated values for matching queries.
- MEAN
-
The mean of all of the associated values for matching queries.
- POSITIVE_MEAN
-
The mean of the positive associated values for the matching queries.
- If you want to filter threat triage display, use the Rules section and
the Sort by menu below it.
For example, to display only high-levels alerts, click the box containing the red
indicator. To sort the high-level alerts from highest to lowest, select
Highest Score from the Sort by
menu.
- Click SAVE.
