You can use the Threat Triage field in the Management UI to assign basic threat triage
rules and scores. To specify more granular triage rules, you need to specify the information
with the CLI or the Advanced JSON field in the Management
UI.
Ensure that the enrichment is working properly.
-
On the sensor panel, in the Threat Triage field, click
.
- To add a rule, click +.
-
Assign a name to the new rule in the NAME field.
-
In the RULE field, enter the syntax for the new rule. For
example:
-
In the SCORE ADJUSTMENT field, enter a threat score for the
rule. For example:
-
You can click TEST to validate your rule and score
adjustment.
-
Click SAVE.
The new rule is listed in the Threat Triage Rules
panel.
- Choose how you want to aggregate your rules by choosing a value from the Aggregator menu.
You can choose among the following:
- MAX
-
The maximum of all of the associated values for matching queries.
- MIN
-
The minimum of all of the associated values for matching queries.
- MEAN
-
The mean of all of the associated values for matching queries.
- POSITIVE_MEAN
-
The mean of the positive associated values for the matching queries.
- Click SAVE.
