Run Book
Also available as:
PDF

Performing Threat Triage

To create a threat triage rule configuration, you must first define your rules. These rules identify the conditions in the data source data flow and associate alert scores with those conditions. Following are some examples:

Rule 1

If a threat intelligence enrichment type is alerted, imagine that you want to receive an alert score of 5.

Rule 2

If the URL ends with neither .com nor .net, then imagine that you want to receive an alert score of 10.

To create these rules, complete the following steps:

  1. Click the (edit button) for your sensor.

  2. In the Threat Triage field, click the icon (expand window).

    The module displays the Threat Triage Rules panel.

    Figure 6.1. Threat Triage Rules Panel


  3. Click the + button to add a rule.

    The module displays the Edit Rule panel.

    Figure 6.2. Edit Rule Panel


  4. Assign a name to the new rule by entering the name in the NAME field.

  5. In the Text field, enter the syntax for the new rule.

    For example:

    Exists(IsAlert)
  6. Use the SCORE ADJUSTMENT slider to choose the threat score for the rule.

  7. Click SAVE to save the new rule.

    The new rule is listed in the Threat Triage Rules panel.

  8. Choose how you want to aggregate your rules by choosing a value from the Aggregator menu.

    You can choose between:

    MAX

    The maximum of all of the associated values for matching queries.

    MIN

    The minimum of all of the associated values for matching queries.

    MEAN

    the mean of all of the associated values for matching queries.

    POSITIVE_MEAN

    The mean of the positive associated values for the matching queries.

  9. You can use the Rules section and the Sort by pull down menu below the Rules section to filter how threat triages display.

    For example, to display only high levels alerts, click the box containing the red indicator. To sort the high level alerts from highest to lowest, choose Highest Score from the Sort by pull down menu.

  10. Click SAVE on the Sensor panel to save your changes.