Skip to content

Severity

Severity measures the potential impact of an event, i.e., the level of damage it could cause if it is real and successful.

Numeric range used is 0 to 90.

It is typically a relatively static classification defined by the detection rule or use case which does not change significantly over time.

Severity levels can be updated automatically through signals or manually on UI. For automatically created tickets severity is assigned based on the attribute severity in section define of a relevant detection rule. It is up to investigators and analysts to determine severity levels for specific cases based on the company's security practicies. For example, a correlation with numerous inputs (such as failed logins followed by success logins) might have a higher severity being potentially more harmful.

Each ticket must have its severity level set on creation, medium being assigned by the LogMan.io Alerts by default if not set otherwise.

Standard Levels

Standard SIGMA notation is used by default.

Severity levels are listed in severity section of the setup Library file with their respective numeric equivalent.

/Alerts/Severity/severity.yaml
---
define:
  type: alerts/severity

severity:
  critical: 90
  high: 70
  medium: 50
  low: 30
  info: 10
  _: 50

variants:
  highest: 90

Note

Options from the severity section prevail over equivalents in section variants. With the above setup example, severity level critical will be offered on UI for selection, while severity level highest ignored.

Name Variants

Options in section variants allow to target the same severity level by different names.

With the below setup example, severity level info can be also referred to as lowest or informational in detection rules and signals.

/Alerts/Severity/severity.yaml
---
define:
  type: alerts/severity

severity:
  <...>
  info: 10

variants:
  lowest: 10
  informational: 10

Additional Options

Options in section variants allow to offer additional options on UI if needed.

With the below setup example, custom will be offered on UI for selection and if selected, a ticket gets severity level of 77.

/Alerts/Severity/severity.yaml
---
define:
  type: alerts/severity

severity:
  <...>

variants:
  custom: 77

Unspecified Levels

If a numeric severity level that is not specified in any of the setup file sections is received, it is presented in the ticket's details as is.

The respective name key can be added to the setup file anytime.