Restrictions on choosing a certain Risk Score Field ?
Are there any known or stated restrictions in choosing a certain field to be used as a Score Field ? I am talking about the "Risk Correlation Scoring" dialog from "ACE Properties", where one may add new "Score Fields". Background: I am performing some tests on a SIEM 10.3.0 VM based installation. I have built a risk score definition coupled with the appropriately defined risk correlation manager. I am feeding events to it via a purpose built ASP rule and the resulting parsed events carry a combination of pre-existing and new defined fields (custom types). So far I found that I receive the expected results - in terms of receiving the expected "FYI", "Minor", "Warning", "Major", or "Critical" events when reaching the risk score levels which I have put in the risk correlation manager defined for this purpose - only when I choose "Threat_Category" as "Score Field". If I choose for instance "Threat_Name" as "Score Field" it behaves as if no risk score is given to it. The same thing happens if I choose some of my new defined fields as "Score Field". It should be noted that the scoring conditional statements which I have put in the risk correlation score definition are based on my new defined fields and those work as expected. This is proven because I have defined also a correlation rule which fires appropriately, every time, on the same conditions. So, once again, with the same scoring conditional statements, "Threat_Category" appears to receive appropriately the intended risk score while, if replacing it with "Threat_Name", this is no longer happening. Actually, I haven't yet found another field besides "Threat_Category" to behave appropriately in terms of the received risk score.