Severity¶
Severity measures the potential impact of an event, i.e., the level of damage it could cause if it is real and successful.
Each ticket has some severity level set on creation, medium being the default.
It is typically a relatively static classification defined by the detection rule or use case and does not change significantly over time. Severity levels can be updated automatically through signals or manually on UI.
Numeric range used is 0 to 90.
Standard Levels¶
Standard SIGMA notation is used by default.
Severity levels are listed in severity section of the setup Library file with their respective numeric equivalent.
---
define:
type: alerts/severity
severity:
critical: 90
high: 70
medium: 50
low: 30
info: 10
_: 50
variants:
highest: 90
Note
Options from the severity section prevail over equivalents in section variants. With the above setup example, severity level critical will be offered on UI for selection, while severity level highest ignored.
Name Variants¶
Options in section variants allow to target the same severity level by different names.
With the below setup example, severity level info can be also referred to as lowest or informational in detection rules and signals.
---
define:
type: alerts/severity
severity:
<...>
info: 10
variants:
lowest: 10
informational: 10
Additional Options¶
Options in section variants allow to offer additional options on UI if needed.
With the below setup example, custom will be offered on UI for selection and if selected, a ticket gets severity level of 77.
---
define:
type: alerts/severity
severity:
<...>
variants:
custom: 77
Unspecified Levels¶
If a numeric severity level that is not specified in any of the setup file sections is received, it is presented in the ticket's details as is.
The respective name key can be added to the setup file anytime.