MA: Indicators of Compromise Tab

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode

The Service Config view > Indicators of Compromise tab for the Security Analytics Malware Analysis provides a way to configure the way each of the four scoring modules uses the available rules to score data.

This is an example of the Indicators of Compromise tab.



The Indicators of Compromise tab consists of a toolbar and pageable grid.

This table describes the features of the grid.

Module selection listSelects the scoring module for which you want to view the Indicators of Compromise: All, Network, Static, Community, Sandbox, or Yara.
Description search fieldType text for which you are searching in the Description field.
Search buttonFilters the grid to display only Descriptions that match the Description search term.
Enable All buttonClick to enable all rules for the scoring module, as opposed to enabling all rules on the page using the checkbox.
Enable buttonClick to enable selected rules.
Disable All buttonClick to disable all rules for the scoring module, as opposed to disabling all rules on the page using the checkbox.
Disable buttonClick to disable selected rules.
Reset All buttonClick to reset all rows on the page to their default values.
Reset buttonClick to reset selected rows to their default values.
Save buttonClick to save changes you made on this page. If you leave the page without saving, the changes are lost. The description of each row with unsaved changes has a red corner.

This table describes the features of the toolbar.

Selection checkboxCheckboxes for selecting individual rows or all rows on the page.
Enabled checkboxIf the indicator of compromise is enabled, Security Analytics Malware Analysis uses the rule for scoring session data.
High Confidence checkboxIf checked, Security Analytics Malware Analysis treats the rule as one very likely to indicate the presence of malware, and an event that triggers that rule is marked in the results grid.
DescriptionDescribes the Indicator of Compromise.
ScoreSpecifies the score that you want to factor in to the total score for any event that triggers the rule. The default score is displayed and you can raise or lower the score by dragging the slider or typing a number in the score box.
File TypeDisplays the file types to which the rule applies. Possible values are ALL, PDF, MS Office, and Windows PE.
You are here: Malware Analysis References > Indicators of Compromise Tab