5 Alert Scoring Editor

Use the Alert Scoring Editor administration tool to create new rules or modify the logic behind existing rules that prioritize alerts automatically.

This chapter contains the following topics :

About the Alert Scoring Editor

The score of an alert is a measure of priority or risk that an analyst can use to determine the appropriate sequence in which to investigate alerts. Depending upon the configuration of your specific installation, the alert score may also determine whether the system closes the alert automatically. The system bases the score of an alert on the score of the matches that compose it. Match scoring computes the score for individual matches to provide an initial prioritization. This dependency implies that scoring of matches must occur before the determination of an alert’s score.

The Alert Scoring Editor allows you, the application Administrator, to view, modify, or delete the rules that the system uses to determine the score for matches and alerts. You can also create or modify existing match scoring rules for each Scenario, and variations of each rule for each Threshold Set in a Scenario. In the Alert Scoring Editor, you can view a history of changes to each rule and its variations.