Skip to main content
Question

Mismatched severity value UNKNOWN_SEVERITY

  • March 30, 2026
  • 4 replies
  • 34 views
EP0
Forum|alt.badge.img+5

I’m looking at Crowdstrike events and trying to get an overview of all the detections by first getting a count of unique severity, tactic, technique, description, product event type combinations.
 

events: 
    $e.metadata.log_type = "CS_ALERTS"
    $e_product_evtype = $e.metadata.product_event_type
    $e_desc = $e.metadata.description
    $e_tactic = $e.security_result.attack_details.tactics.name
    $e_technique = $e.security_result.attack_details.techniques.name
    $e_severity = $e.security_result.severity 
match:
    $e_severity, $e_tactic, $e_technique, $e_desc, $e_product_evtype
outcome:
    $event_count = count_distinct($e.metadata.id)
order:
    $event_count desc

However I noticed that there are several severities with the value “UKNOWN_SEVERITY”
 


Doing a UDM search for this severity value gives results, but the UDM field  looks like it has the proper values:
 

 
Based on Severity  |  Google Security Operations  |  Google Cloud Documentation - UNKNOWN_SEVERITY is the “The default severity level.” but this does not tell me much. I assume this is the value populated when there is no actual severity value from the logs, but this is not the case based on the CS_ALERTS example.

Am I missing something fundamental here? Any feedback would be appreciated!

4 replies

C
Staff
Forum|alt.badge.img+13

In Google SecOps UDM the default (0) value for an Enum (a static dictionary of values), and so here you are seeing entries without a severity set, which means the 0 value is used, and hence it is UNKNOWN_SEVERITY - https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultproductseverity

EP0
Forum|alt.badge.img+5
  • EP0Bronze 3
  • Author
  • Bronze 3
  • March 31, 2026

In Google SecOps UDM the default (0) value for an Enum (a static dictionary of values), and so here you are seeing entries without a severity set, which means the 0 value is used, and hence it is UNKNOWN_SEVERITY - https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultproductseverity

Thanks for the information! However I’m still confused.

Based on the second screenshot I have, I specifically looked for UNKNOWN_SEVERITY and, on the selected event, the severity shows “MEDIUM”, meaning it has a severity set. 

Here is another example.

Looking at stats for this specific CS description shows the severities “UNKNOWN_SEVERITY” and “MEDIUM”
 


But UDM search for the actual event for that description shows that the severity is set to “MEDIUM”
 


Could you please elaborate this behaviour?

C
Staff
Forum|alt.badge.img+13

Security Result is a repeated object, and notice in your screenshot you have security_result[1] and security_result[0], and likely with one set to MEDIUM and one unset, i.e., UNKNOWN_SEVERITY.

 

As it’s CS Alerts, it probably has multiple alerts in one message, hence they get mapped to an array of security_results.

 

EP0
Forum|alt.badge.img+5
  • EP0Bronze 3
  • Author
  • Bronze 3
  • March 31, 2026

Thanks,  I now at least understand the theory behind it. I checked the raw log for the event above but there is only one unique message with only one severity.

I think the idea behind multiple alerts on one message is not really applicable based on this example


Interestingly, the stats event count for that description “A user performed a network login to an unusual number of endpoints” somehow shows 2, but the UDM search only shows 1 event. So there is some duplication(?) for some unknown reason where that UNKNOWN_SEVERITY is probably found?

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.