Hi,
Any idea how risk score is being calculated at Respond Server for any Incident? Got to know that there is some internal algorithm for this. Really very curious to know this in detailed explanation.
Thanks in Advance / Deepak Shukla
rsa algorithm RSA Customer Support respond-server rsa netwitness logs & network
Incidents are created by Incident Rules (Configure --> Incident Rules). When Alerts are triggered that match an Incident Rule, then they will be aggregated according to the Grouping Options (Group By and Time Window) you have set for that Incident Rule. The Priority section of the Incident Rule then determines the Risk Score for the full Incident based on the Risk Score of the individual Alerts that triggered. There are three options:
The Alerts are assigned a Severity of Critical, High, Medium, or Low, and those translate into numeric scores as shown in the screenshot. Those are defaults and can be changed for each individual Incident Rule.
Does that clarify it for you? Any other questions?