Configure Basic Threat Triage Rules
You can use the Threat Triage field in the Management UI to assign basic threat triage rules and scores. To specify more granular triage rules, you need to specify the information with the CLI or the Advanced JSON field in the Management UI.
On the sensor panel, in the Threat Triage field, click .
- To add a rule, click +.
- Assign a name to the new rule in the NAME field.
In the RULE field, enter the syntax for the new rule. For
In the SCORE ADJUSTMENT field, enter a threat score for the
rule. For example:
- You can click TEST to validate your rule and score adjustment.
The new rule is listed in the Threat Triage Rules panel.
- Choose how you want to aggregate your rules by choosing a value from the Aggregator menu.
You can choose among the following:
The maximum of all of the associated values for matching queries.
The minimum of all of the associated values for matching queries.
The mean of all of the associated values for matching queries.
The mean of the positive associated values for the matching queries.
- Click SAVE.