Administration
Also available as:
PDF
loading table of contents...

Prioritizing Threat Intelligence

Not all threat intelligence indicators are equal. Some require immediate response, while others can be addressed as time and availability permits. As a result, you must triage and rank threats by severity.

In HCP, you assign severity by associating possibly complex conditions with numeric scores. Then, for each message, you use a configurable aggregation function to evaluate the set of conditions and to aggregate the set of numbers for matching conditions This aggregated score is added to the message in the threat.triage.level field. For more information about Stellar and threat triage configurations, see Using Stellar to Set up Threat Triage Configurations.

This section details the steps to understand and create severity rules, configure them in ZooKeeper, and view the resulting alerts in the HCP Investigation module: