Severity
The vendor's view of the severity or level of log message.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Severity |
Client Console Short Name | Severity |
Web Console Tab/Name | Severity |
Elasticsearch Field Name | severity |
Rule Builder Column Name | Severity |
Regex Pattern | <severity> |
NetMon Name | Severity for alarms only |
Field Relationships
- Status
- VMID
- Vendor Info
- ThreatId
- ThreatName
Common Applications
- Syslog reports severity in the format <loc0:info>, with info being the severity level.
- Windows Event Log severity
Use Case
- Anything that generates alarms or analyzes risk.
- Almost every log format has a severity.
MPE/Data Masking Manipulations
Multilingual logs might have severity in native language. Use masking to convert to standard English. (See Windows logs, for example.)
Usage Standards
- Represent the severity the way the vendor/log source does in the clearest text way. Do not attempt to convert 0-5 to low/medium/high or red/yellow/green unless the vendor defines 0 = low.
- Do not misuse for level of confidence (for example, from an AV log).
Examples
- Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5058</EventID><Version>0</Version><Level>Information</Level><Task>Other System Events</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-02T00:24:23.559228400Z'/><EventRecordID>7670651176</EventRecordID><Correlation/><Execution ProcessID='572' ThreadID='3136'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\NETWORK SERVICE</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>%%2432</Data><Data Name='KeyName'>le-a1f08494-0ec3-4902-9d6c-caeeda9ce4f6</Data><Data Name='KeyType'>%%2499</Data><Data Name='KeyFilePath'>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\222222222229530509a71f1</Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>
<Level> tags in Windows indicate severity of the log message.
- Syslog - Apache Access Log
11 14 2013 17:19:04 1.1.1.1 <LOC5:INFO> Nov 14 22:19:04 USABLDRRECFLOW01access_http_log: [14/Nov/2013:22:19:04 +0000] 1.1.1.1 1.1.1.1 HTTP/1.1 "POST /foundation/getStandingsAjax.jsp HTTP/1.1" 2764 https://www.recordflow.biz
Any Syslog message contains a header that indicates severity level.
- Syslog – Crowdstrike Falconhost CEF
12 14 2016 11:39:44 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|Detection Summary Event|2| externalID=222222222222222222 cn2Label=ProcessId cn2=148191318711589 cn1Label=ParentProcessId cn1=148191316778231 shost=TheNarrowSea suser=IIS1$ msg=An administrative/reconnaissance tool (xcopy.exe, ping.exe, tasklist.exe, ftp.exe, autoruns.exe) was spawned under an IIS worker process. fname=systeminfo.exe filePath=\\Device\\HarddiskVolume1\\Windows\\System32 cs1Label=CommandLine cs1=systeminfo fileHash=59E0D058686BD35B0D5C02A4FD8BD0E0sntdom=TARGETNET cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/2222222222/2222222222 cn3Label=Offset cn3=1066147 deviceCustomDate1Label=ProcessStartTime deviceCustomDate1=2016-12-14 18:39:42
In this Syslog example, the Syslog severity is ignored in favor of the CEF format header which includes its own severity level.