AnsweredAssumed Answered

Working with correlation rules in Incident Management

Question asked by Craig Cameron-Weir on Sep 29, 2016
Latest reply on Sep 30, 2016 by Mark Karlstrand

Like • Show 0 Likes0
Comment • 1

I'm trying to work with the Incident Management module in 10.6, and I can't find documentation that properly explains its interaction with ESA alerts.

Why do correlation rules refer to Severity as a numeric value as opposed to a string? (ESA severities are Low, Medium, High, and Critical).
Where is the "Alert Rule ID" defined for an ESA alert?

Thanks

No one else has this question

Outcomes

1 Reply

Mark Karlstrand Sep 30, 2016 1:01 AM
Mark Correct
Correct Answer
Hi Craig,

Apologize that the UI and documentation is not more clear on this topic. I will circle back with the Docs and UX teams to file bugs and get these clarified.

As you correctly point out, ESA rules generate alerts that have a severity rating of either Low, Medium, High, or Critical. The mapping of the four alert severity levels to the 0-100 scale you can see when authoring an IM rule is configuration to define how IM translates the severity levels into the priority score on the incident. This is why the values are editable. For example, if critical is configured to 90 then an alert of that level will contribute a score of 90 to the incident priority. The IM rule then takes this score and either combines it with scores from other alerts it contains into an average or just takes the highest score and uses that for the incident priority.

The alert rule ID referred to in IM rules is the name of the ESA rule.
Like • Show 0 Likes0
Actions

Working with correlation rules in Incident Management

Outcomes

Related Content

Recommended Content