The Incident Rules view enables you to manage the automated incident creation process. NetWitness Respond creates incidents in two ways:
- Incident Rules: NetWitness Platform provides preconfigured rules that you can adjust for your environment. You can also create your own rules.
- Risk Scoring: (Endpoint Risk Scoring Settings are available in NetWitness Platform version 11.3 and later and only apply to NetWitness Endpoint.) NetWitness Respond uses these settings to automatically create risk scoring incidents for suspicious files and hosts that cross the defined risk score thresholds. If you get too many or too few risk scoring incidents, you can adjust these thresholds.
What do you want to do?
- To access the Incident Rules view, go to CONFIGURE > Incident Rules.
The Incident Rules view has two sections, one for each type of automated incident creation:
- Endpoint Risk Scoring Settings
- Incident Rules
Endpoint Risk Scoring Settings
The Endpoint Risk Scoring Settings enable you to configure the thresholds used to automatically create risk scoring alerts and incidents. When calculated risk scores for suspicious files and hosts exceed the specified thresholds, it triggers the creation of risk scoring alerts and incidents. RSA recommends that you keep the thresholds at the default values, but you may need to adjust these settings if you get too many or too few alerts and incidents.
For more information on configuring NetWitness Endpoint, see the NetWitnesss Endpoint Configuration Guide.
The following table describes the fields in the Endpoint Risk Scoring Settings.
The Incident Rules section enables you to create and manage incident rules for automating the incident creation process. NetWitness Platform provides preconfigured rules. You can add to and adjust these rules for your own environment.
The Incident Rules section consists of a list and series of buttons. The following table describes the columns in the Incident Rules list.
Incident Rules Actions
The following table shows the operations that can be performed on the Incident Rules list.