cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Restrictions on choosing a certain Risk Score Field ?

Hello,

Are there any known or stated restrictions in choosing a certain field to be used as a Score Field ? I am talking about the "Risk Correlation Scoring" dialog from "ACE Properties", where one may add new "Score Fields".
Background:
I am performing some tests on a SIEM 10.3.0 VM based installation.
I have built a risk score definition coupled with the appropriately defined risk correlation manager. I am feeding events to it via a purpose built ASP rule and the resulting parsed events carry a combination of pre-existing and new defined fields (custom types).
So far I found that I receive the expected results - in terms of receiving the expected "FYI", "Minor", "Warning", "Major", or "Critical" events when reaching the risk score levels which I have put in the risk correlation manager defined for this purpose - only when I choose "Threat_Category" as "Score Field". If I choose for instance "Threat_Name" as "Score Field" it behaves as if no risk score is given to it. The same thing happens if I choose some of my new defined fields as "Score Field".
It should be noted that the scoring conditional statements which I have put in the risk correlation score definition are based on my new defined fields and those work as expected. This is proven because I have defined also a correlation rule which fires appropriately, every time, on the same conditions.
So, once again, with the same scoring conditional statements, "Threat_Category" appears to receive appropriately the intended risk score while, if replacing it with "Threat_Name", this is no longer happening. Actually, I haven't yet found another field besides "Threat_Category" to behave appropriately in terms of the received risk score.

Thank you in advance for any hints on this !

Lucian

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community