Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
2
Helpful
7
Replies

XDR Asset Value - Override default/manual Value via rules

Go to solution
YZ2
Level 1
Level 1

‎12-04-2024 01:21 AM

Hi,

I am looking for an option to remove the default and manually set values so that the values of my rules are applied.

Or is there a bug that prevents rules from overwriting previously set values?

 

Thanks in advance!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mmcphee
Cisco Employee
Cisco Employee

‎01-23-2025 08:19 AM

You should be able to do this using the Rules button in the Assets > Device view, as shown below: Screenshot 2025-01-23 at 11.15.10.png

If this is not working for your tenant, I would first search to ensure another rule is not overriding the one you intended, and absent that I would submit a case as described on this page: https://docs.xdr.security.cisco.com/Content/contact-support.htm

Hope this helps!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mmcphee
Cisco Employee
Cisco Employee

‎01-23-2025 08:19 AM

You should be able to do this using the Rules button in the Assets > Device view, as shown below: Screenshot 2025-01-23 at 11.15.10.png

If this is not working for your tenant, I would first search to ensure another rule is not overriding the one you intended, and absent that I would submit a case as described on this page: https://docs.xdr.security.cisco.com/Content/contact-support.htm

Hope this helps!

0 Helpful

Go to solution
Rene Mueller
Level 5
Level 5

‎04-24-2025 07:10 AM

@mmcpheeAs I can see in your screenshot, you set the asset value for Linux servers to 8. Are there any best practices or guidelines how to set the value for like a windows client or server or other device?

Go to solution
Ken Stieers
VIP
VIP
In response to Rene Mueller

‎04-24-2025 07:23 AM

So the thing to keep in mind is that the value gets multiplied in for incident scoring... Depending upon how you use that, it may influence how you score the devices. In XDR it's not generally problematic, you'll still see all incidents.
In CVM, if your scores are too low, it quits showing you stuff if the scores end up being too low.
(not sure if they have those syncing yet... but it's on a roadmap...)

Go to solution
Rene Mueller
Level 5
Level 5
In response to Ken Stieers

‎04-24-2025 07:55 AM

what does CVM mean?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Rene Mueller

‎04-24-2025 08:08 AM

Cisco Vulnerability Management aka Kenna...
0 Helpful

Go to solution
mmcphee
Cisco Employee
Cisco Employee
In response to Rene Mueller

‎04-24-2025 07:39 AM

@Rene Mueller unfortunately, "it depends" is the rule, not the exception. Every environment has a different risk profile and while some may determine that a certain group of assets are low priority, others may flip the value. This is most often a risk-focused discussion and should be agreed to and documented well before using these rules in a production XDR implementation.

Hope that helps!

0 Helpful

Go to solution
Rene Mueller
Level 5
Level 5
In response to mmcphee

‎04-24-2025 08:02 AM

Are there any guidelines which can help set the right value? Like is a client computer more risky than a server because users have way more contact to the internet than a server does? What can be the key indicators to create those risk profiles? I would like to set this up in our environment but it feels difficult to do so without a best practice, checklist or guidance. leave every device set to default (10) feels a bit wrong. 

0 Helpful
Customers Also Viewed These Support Documents