Incident Rules

Incident Rules let you control which suspicious behaviors create incidents. You can turn on the Incident Rules you want Endpoint Detection and Response to use to create incident detections. You can turn off the Incident Rules that generate highly prevalent, but low risk detections.
You can filter rules and then turn them On or Off. Following filters are available:
  • State
    • On
    • Off
  • Severity
    • Low
    • Medium
    • High
  • MITRE TACTIC
    • Initial Access
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
    • Discovery
    • Lateral movement
    • Collection
    • Exfiltration
    • Command and Control
    • Impact