What determines severity in SOAR? Do certain risk scores map to certain severity? Or does it focus on the severity from the rule? I've noticed that the mapping does not always seem to be consistent between SIEM rule and SOAR severity?
Page 1 / 1
@smit8 ,
Is this a question in the scope of SIEM Detections or a broader one? The severity for the SIEM alerts is taken from Severity key that is associated with Detections. Beyond that it's really dependant on the third party product, but we try to mirror the severity distribution to be the same as in the source itself.
What inconsistency are you seeing?
For alerts received from SecOps SIEM :
IDE > GoogleChronicle > consts file
"low": 40,
"medium": 60,
"high": 80,
"critical": 100,That should map the ALERT severity at ingest, other actions might change it after this./
Also note that Alert severity != Case severity, there is a process there, I think the hightest Alert can change the Case, but again playbooks and manual actions might come into play.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.