You can use the Threat Triage field in the Management UI to assign basic threat triage
rules and scores. To specify more granular triage rules, you need to specify the information
with the CLI or the Advanced JSON field in the Management UI.
Ensure that the enrichment is working properly.
-
On the sensor panel, in the Threat Triage field, click .
- To add a rule, click +.
- Assign a name to the new rule in the NAME field.
- In the Text field, enter the syntax for the new rule:
- Use the SCORE ADJUSTMENT slider to choose the threat score for the
rule.
- Click SAVE.
The new rule is listed in the Threat Triage Rules panel.
- Choose how you want to aggregate your rules by choosing a value from the Aggregator menu.
You can choose among the following:
- MAX
-
The maximum of all of the associated values for matching queries.
- MIN
-
The minimum of all of the associated values for matching queries.
- MEAN
-
The mean of all of the associated values for matching queries.
- POSITIVE_MEAN
-
The mean of the positive associated values for the matching queries.
- If you want to filter threat triage display, use the Rules section and
the Sort by menu below it.
For example, to display only high-levels alerts, click the box containing the red
indicator. To sort the high-level alerts from highest to lowest, select
Highest Score from the Sort by
menu.
- Click SAVE.