Risk Scoring in LogMan.io Correlator¶
LogMan.io Correlator includes native support for risk scoring, which allows you to assign numerical severity values to detections and consequently to the dimensions being investigated like users, devices, IP addresses and so on. This risk score can then be used in further analysis, prioritization, alerting, or response logic.
Risk scores in LogMan.io are floating point values, e.g. 30.0. The recommended scale is from 0.0 to 100.0, where 20.0 represents a low risk score, 50.0 a medium risk score and 80.0 a high risk score.
What is a risk score?¶
A risk score is a numeric point value that represents how severe or impactful a detection is. It provides a standardized way to:
- Prioritize outputs of triggers (complex events, alerts)
- Inform automated response systems
- Help analysts triage high-risk detections first
- Aggregate risk across entities such as users, IPs, or assets
Why use risk scoring?¶
Risk scoring enhances security operations by:
- Reducing noise in high-volume environments
- Prioritizing critical alerts
- Enabling risk-based response automation
- Supporting entity risk tracking across time
Summary¶
| Component | Source | Effect on Final Risk Score |
|---|---|---|
| Base risk score | Correlation define |
Sets the starting value |
| Relative risk score | ruleid2riskscore |
Adds organization alignment to the risk score |
| IOC-based risk score | ioc lookup |
Adds context-based risk based on the dimension (in evaluate section) |
Risk scoring in LogMan.io is flexible and extendable, designed to adapt to organizational needs while remaining simple to configure and interpret.
For implementation details and examples, refer to our correlation documentation.
Where is the risk score defined?¶
The base risk score is defined in the define section of a correlation rule:
define:
name: "Phishing/Spam count by source IP"
...
risk_score: 30.0
This value is the default severity assigned to the correlation when triggered.
Relative risk score from lookups¶
Tenants can adds their organization alignment to the risk score by using the relative risk score dynamically from lookups.
ruleid2riskscore Lookup¶
To add a relative risk score to the base risk score of a rule, define a ruleid2riskscore lookup entry for the rule:
key score
/Correlations/Fortinet/Fortimail/Phishing Count By Source IP.yaml 10.0
When the correlation is triggered, this score will be added to the rule’s defined base score.
Example:¶
If a rule has risk_score: 30.0 and the lookup defines an additional score: 10.0, then the final calculated risk score is:
30.0 (defined) + 10.0 (lookup) = 40.0
Risk contribution from IOCs¶
Users can increase risk scores further by adding threat intelligence values to lookups in a group named ioc. These values typically include high-risk IP addresses, domains, hostnames, etc.
Each entry can define a custom ioc score:
key risk.score
203.0.113.66 15.0
key risk.score
phishing-domain.example.com 25.0
If the risk score is missing in the lookup, the default value is 10.0.
If an IOC from this list is part of the detected event's dimensions (defined in evaluate section), its score is also added to the final risk score.
Total risk score formula:¶
total_risk_score = base_score (from rule) + score (from ruleid2riskscore) + score (from ioc lookup)
Example:¶
A correlation has:
- In define, risk_score: 30.0
- Relative risk score lookup entry for the given rule: score: 10.0
- IOC entry: score: 25.0
30.0 + 10.0 + 25.0 = 65.0
This value lies between the medium (50.0) and high value (80.0) of the risk score level.
The risk score is passed to Alert Management via signals and in the case of ECS schema is part of the triggered event:
event.risk_score: 65.0
For more information about risk scoring in ECS schema, see Event Fields.