Skip to main content
Skip table of contents


The vendor's view of the severity or level of log message. 

Data Type




Client Console Full Name


Client Console Short Name


Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Severity for alarms only

Field Relationships

  • Status
  • VMID
  • Vendor Info
  • ThreatId
  • ThreatName

Common Applications

  • Syslog reports severity in the format <loc0:info>, with info being the severity level.
  • Windows Event Log severity

Use Case

  • Anything that generates alarms or analyzes risk.
  • Almost every log format has a severity.

MPE/Data Masking Manipulations

Multilingual logs might have severity in native language. Use masking to convert to standard English. (See Windows logs, for example.)

Usage Standards

  • Represent the severity the way the vendor/log source does in the clearest text way. Do not attempt to convert 0-5 to low/medium/high or red/yellow/green unless the vendor defines 0 = low.
  • Do not misuse for level of confidence (for example, from an AV log).


  • Windows Event Log

<Event xmlns=''><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5058</EventID><Version>0</Version><Level>Information</Level><Task>Other System Events</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-02T00:24:23.559228400Z'/><EventRecordID>7670651176</EventRecordID><Correlation/><Execution ProcessID='572' ThreadID='3136'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\NETWORK SERVICE</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>%%2432</Data><Data Name='KeyName'>le-a1f08494-0ec3-4902-9d6c-caeeda9ce4f6</Data><Data Name='KeyType'>%%2499</Data><Data Name='KeyFilePath'>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\222222222229530509a71f1</Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>

<Level> tags in Windows indicate severity of the log message.

  • Syslog - Apache Access Log

11 14 2013 17:19:04 <LOC5:INFO> Nov 14 22:19:04 USABLDRRECFLOW01access_http_log: [14/Nov/2013:22:19:04 +0000] HTTP/1.1 "POST /foundation/getStandingsAjax.jsp HTTP/1.1" 2764

Any Syslog message contains a header that indicates severity level.

  • Syslog – Crowdstrike Falconhost CEF

12 14 2016 11:39:44 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|Detection Summary Event|2| externalID=222222222222222222 cn2Label=ProcessId cn2=148191318711589 cn1Label=ParentProcessId cn1=148191316778231 shost=TheNarrowSea suser=IIS1$ msg=An administrative/reconnaissance tool (xcopy.exe, ping.exe, tasklist.exe, ftp.exe, autoruns.exe) was spawned under an IIS worker process. fname=systeminfo.exe filePath=\\Device\\HarddiskVolume1\\Windows\\System32 cs1Label=CommandLine cs1=systeminfo fileHash=59E0D058686BD35B0D5C02A4FD8BD0E0sntdom=TARGETNET cs6Label=FalconHostLink cs6= cn3Label=Offset cn3=1066147 deviceCustomDate1Label=ProcessStartTime deviceCustomDate1=2016-12-14 18:39:42

In this Syslog example, the Syslog severity is ignored in favor of the CEF format header which includes its own severity level.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.