Showing results for 
Search instead for 
Did you mean: 

Restrictions on choosing a certain Risk Score Field ?


Are there any known or stated restrictions in choosing a certain field to be used as a Score Field ? I am talking about the "Risk Correlation Scoring" dialog from "ACE Properties", where one may add new "Score Fields".
I am performing some tests on a SIEM 10.3.0 VM based installation.
I have built a risk score definition coupled with the appropriately defined risk correlation manager. I am feeding events to it via a purpose built ASP rule and the resulting parsed events carry a combination of pre-existing and new defined fields (custom types).
So far I found that I receive the expected results - in terms of receiving the expected "FYI", "Minor", "Warning", "Major", or "Critical" events when reaching the risk score levels which I have put in the risk correlation manager defined for this purpose - only when I choose "Threat_Category" as "Score Field". If I choose for instance "Threat_Name" as "Score Field" it behaves as if no risk score is given to it. The same thing happens if I choose some of my new defined fields as "Score Field".
It should be noted that the scoring conditional statements which I have put in the risk correlation score definition are based on my new defined fields and those work as expected. This is proven because I have defined also a correlation rule which fires appropriately, every time, on the same conditions.
So, once again, with the same scoring conditional statements, "Threat_Category" appears to receive appropriately the intended risk score while, if replacing it with "Threat_Name", this is no longer happening. Actually, I haven't yet found another field besides "Threat_Category" to behave appropriately in terms of the received risk score.

Thank you in advance for any hints on this !


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community