Hello,
I’m trying to better understand the distinction between the following mandiant active breach threat intelligence fields:
-
GCTI Priority
-
Confidence
-
Severity
From what I understand:
-
Confidence appears to reflect how certain Mandiant is about the intelligence or attribution.
-
Severity seems to describe the impact level of the activity.
-
GCTI Priority may represent recommended operational urgency.
However, I’m seeing cases where:
-
GCTI Priority = Unspecified
-
Severity = None
I’m trying to understand:
-
What is the precise functional difference between GCTI Priority and Severity?
-
In what scenarios would GCTI Priority be marked as Unspecified?
-
Why would Severity be set to None — does that mean informational only, contextual intel, or something else?
-
Should detections with “Unspecified” priority be treated as lower operational risk, or is that field independent of risk scoring?
Any clarification on how these three attributes are intended to be interpreted in operational workflows would be greatly appreciated.
Thank you.