Risk Scoring in LogMan.io Correlator¶
LogMan.io Correlator includes native support for risk scoring, which allows you to assign numerical severity values to detections. This risk score can then be used in further analysis, prioritization, alerting, or response logic.
What is a risk score?¶
A risk score is a numeric value that represents how severe or impactful a detection is. It provides a standardized way to:
- Prioritize outputs of triggers (complex events, alerts)
- Inform automated response systems
- Help analysts triage high-risk detections first
- Aggregate risk across entities such as users, IPs, or assets
Risk scores in LogMan.io are floating point values, e.g. 30.0.
Where is the risk score defined?¶
The base risk score is defined in the define section of a correlation rule:
define:
name: "Phishing/Spam count by source IP"
...
risk_score: 30.0
This value is the default severity assigned to the correlation when the detection is triggered.
Dynamic (custom) risk score from lookups¶
Organizations can override or extend the base risk score dynamically using lookups.
ruleid2riskscore Lookup¶
To override or add to the base score of a rule, define a ruleid2riskscore lookup entry for the rule:
key score
/Correlations/Fortinet/Fortimail/Phishing Count By Source IP.yaml 10.0
When the correlation is triggered, this score will be added to the rule’s defined base score.
Example:¶
If a rule has risk_score: 30.0 and the lookup defines an additional score: 10.0, then the final calculated risk score is:
30.0 (defined) + 10.0 (lookup) = 40.0
Risk contribution from IOCs¶
Users can increase risk scores further by adding threat intelligence values to lookups in a group named ioc. These values typically include high-risk IP addresses, domains, hostnames, etc.
Each entry can define a custom ioc score:
key score
203.0.113.66 15.0
key score
phishing-domain.example.com 25.0
In this case, if score is missing in the lookup, the default is 10.0.
If an IOC from this list is part of the detected event's dimensions (defined in evaluate section), its score is also added to the final risk score.
Final risk score formula:¶
final_risk_score = base_score (from rule) + score (from ruleid2riskscore) + score (from ioc lookup)
Example:¶
A correlation has:
- In define, risk_score: 30.0
- Custom rule lookup entry: score: 10.0
- IOC entry: score: 25.0
30.0 + 10.0 + 25.0 = 65.0
The risk score is passed to Alert Management via signals and in the case of ECS schema is part of the triggered event:
event.risk_score: 65.0
For more information about risk scoring in ECS schema, see Event Fields.
Why use risk scoring?¶
Risk scoring enhances security operations by:
- Reducing noise in high-volume environments
- Prioritizing critical alerts
- Enabling risk-based response automation
- Supporting entity risk tracking across time
Summary¶
| Component | Source | Effect on Final Risk Score |
|---|---|---|
| Base score | Correlation define |
Sets the starting value |
| Custom rule score | ruleid2riskscore |
Adds organization-specific score |
| IOC score | ioc lookup |
Adds context-based risk based on dimension (in evaluate section) |
Risk scoring in LogMan.io is flexible and extendable, designed to adapt to organizational needs while remaining simple to configure and interpret.
For implementation details and examples, refer to our correlation documentation.