https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-scoring-rules/m-p/557512#M5128 <P>Hello Anthony,</P> <P>&nbsp;</P> <DIV class="p-workspace__primary_view_body"> <DIV class="p-message_pane p-message_pane--classic-nav p-message_pane--scrollbar-float-adjustment p-message_pane--with-bookmarks-bar p-message_pane--with-bookmarks-bar-open" data-qa="message_pane"> <DIV role="presentation"> <DIV class="c-virtual_list c-virtual_list--scrollbar c-message_list c-message_list--floating c-scrollbar c-scrollbar--fade" role="presentation"> <DIV class="c-scrollbar__hider" role="presentation" data-qa="slack_kit_scrollbar"> <DIV class="c-scrollbar__child" role="presentation"> <DIV class="c-virtual_list__scroll_container" tabindex="-1" role="list" data-qa="slack_kit_list" aria-label="Piyush Kohli (direct message, away)"> <DIV id="1694503350.761809" class="c-virtual_list__item" tabindex="-1" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1694503350.761809"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message p-message_pane_message__message--last" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--default"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">It's completely based on the individual organization policy, how would they want as everyone has their different requirements.</DIV> <DIV class="p-rich_text_section">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Tue, 12 Sep 2023 07:24:57 GMT aspatil 2023-09-12T07:24:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-scoring-rules/m-p/557328#M5114 <P>Dear LIVEcommunity,</P> <P>&nbsp;</P> <P>Our environment had the SMART score enabled and now I'm working on incident scoring rules to make the VIP username and/or their devices stand out when alert generated matched their username/hostname.</P> <P>&nbsp;</P> <P>I had their information flagged as "featured user/host", Am wondering what the recommended scoring structure would be. Kindly share your idea/practice for reference purposes.</P> <P>&nbsp;</P> <P>My current idea is to score the first alert (any category, except restriction) with 100, ignore subsequent alert that is identical to the first one.</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> <P><BR />Thank you.</P> Mon, 11 Sep 2023 10:14:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-scoring-rules/m-p/557328#M5114 Antony_Chan 2023-09-11T10:14:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-scoring-rules/m-p/557512#M5128 <P>Hello Anthony,</P> <P>&nbsp;</P> <DIV class="p-workspace__primary_view_body"> <DIV class="p-message_pane p-message_pane--classic-nav p-message_pane--scrollbar-float-adjustment p-message_pane--with-bookmarks-bar p-message_pane--with-bookmarks-bar-open" data-qa="message_pane"> <DIV role="presentation"> <DIV class="c-virtual_list c-virtual_list--scrollbar c-message_list c-message_list--floating c-scrollbar c-scrollbar--fade" role="presentation"> <DIV class="c-scrollbar__hider" role="presentation" data-qa="slack_kit_scrollbar"> <DIV class="c-scrollbar__child" role="presentation"> <DIV class="c-virtual_list__scroll_container" tabindex="-1" role="list" data-qa="slack_kit_list" aria-label="Piyush Kohli (direct message, away)"> <DIV id="1694503350.761809" class="c-virtual_list__item" tabindex="-1" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1694503350.761809"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message p-message_pane_message__message--last" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--default"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">It's completely based on the individual organization policy, how would they want as everyone has their different requirements.</DIV> <DIV class="p-rich_text_section">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Tue, 12 Sep 2023 07:24:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-scoring-rules/m-p/557512#M5128 aspatil 2023-09-12T07:24:57Z