Different vendors attribute different severities to certain types of events based on their own internal way of looking at the data. When Sentinel sets the severity, it generally takes the scale of the vendor severities and arbitrarily maps them into a 0-5 scale. However, this mapping often does not relate an appropriate level of concern, and often the mappings of the same event from two different vendors render widely different severities.
Severities in Sentinel should have a canonical meaning that can be described and documented, and data collection should map events to that scale where applicable. The vendor-assigned severity should be put into it's own field, such as 'VendorSeverity' where it can free-form accept exactly the severity as provided by the vendor. (so events can be searched by severities the device owner can understand, OR by severities that are actually relevant to SOC managers)
by: Brandon L. | over a year ago | Integrations
Comments
I've used the matrix below to assign a severity based on action and outcome taxonomy in the collectors I wrote if the event source didn't specify it: https://gist.github.com/klasen/586faea9dac23eab979e4f007acd7904
We are accepting this idea into our backlog. When it is planned for development, the status of the idea will be changed to "Planned".