Risk Score Calculator for Additional Related Tables

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • The Risk Score Calculator is provisioned with one risk-scoring rule as part of the base system to calculate the risk score of security incidents based on user-defined criteria. However, you can customize and include additional related tables to calculate the risk score.

    Before you begin

    Role required: sn_si.admin.

    Procedure

    1. Navigate to All > Security Incident > Incidents > Show All Incidents.
    2. Select any security incident record.
    3. Select the Additional actions option next to the security incident number.
    4. Go to Configure > Related Lists.
    5. Go to the View name, and select Risk Score Calculator.
      After you select the view, choose the required related list that you want to add from the slush bucket. For example, Associated Sightings.
    6. Select Save.
      You have successfully added the new related lists or tables for which you want to calculate the risk score.
      Important:
      To calculate the risk score for the security incidents that have new criteria with the newly created related lists, you have to define business rules on the base table of the related list.
    7. Navigate to All > System Definition > Business Rules.
      You can use the following two business rules as reference to create your own business rules:
      • Add Security Incidents (SIs) to Score Calculator Queue
      • Add Relation to Score Calculator Queue (This is applicable for m2m tables)
      Figure 1. Business rules
      Business rules
    8. For example, to get the associated observables criteria to work, we have defined two business rules.

      The first is the Add SIs To Score Calculator Queue business rule.

      For example, a new security incident is created and associated with an observable (Observables[sn_ti_observable]) table. After threat lookup, the observable is found to be malicious. You then need to add all the security incidents associated with this malicious observable to the Queue to recalculate the risk score of the security incidents.

      Figure 2. Add SIs To Score Calculator Queue
      Add SIs To Score Calculator Queue business rule

      The second is the Add Relation To Score Calculator Queue business rule.

      For example, a new security incident is created or deleted and associated with an observable (Task Observables[sn_ti_m2m_task_observable]) table. So, there’s a change in the association of the security incident. You then need to add that security incident to the Queue to recalculate the risk score of the security incident.

      Figure 3. Add Relation To Score Calculator Queue
      Add Relation To Score Calculator Queue business rule