Incidents are created by Incident Rules (Configure --> Incident Rules). When Alerts are triggered that match an Incident Rule, then they will be aggregated according to the Grouping Options (Group By and Time Window) you have set for that Incident Rule. The Priority section of the Incident Rule then determines the Risk Score for the full Incident based on the Risk Score of the individual Alerts that triggered. There are three options:
The Alerts are assigned a Severity of Critical, High, Medium, or Low, and those translate into numeric scores as shown in the screenshot. Those are defaults and can be changed for each individual Incident Rule.
Does that clarify it for you? Any other questions?
Hi Sean,
Thanks for your response!
Well, my concern is more on Incidents which we manually creates from Alerts. As you can see in the picture, even for LOW priority Risk score varies from 50-90. Would like to know how RSA calculate and assign Risk score to an Incident.
Thanks in Advance / Deepak Shukla
When you manually create an incident, the risk score of the incident will be equal to the highest severity score from among the selected alerts.
Example - the highest severity of these alerts is 40. Adding them all to a manual incident will set the risk score of the incident to 40:
