Severity

The vendor's view of the severity or level of log message. 

Data Type

String

Aliases

Field Relationships

• Status

• VMID

• Vendor Info

• ThreatId

• ThreatName

Common Applications

• Syslog reports severity in the format <loc0:info>, with info being the severity level.

• Windows Event Log severity

Use Case

• Anything that generates alarms or analyzes risk.

• Almost every log format has a severity.

MPE/Data Masking Manipulations

Multilingual logs might have severity in native language. Use masking to convert to standard English. (See Windows logs, for example.)

Usage Standards

• Represent the severity the way the vendor/log source does in the clearest text way. Do not attempt to convert 0-5 to low/medium/high or red/yellow/green unless the vendor defines 0 = low.

• Do not misuse for level of confidence (for example, from an AV log).

Examples

• Windows Event Log

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{2222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5058</EventID><Version>0</Version><Level>Information</Level><Task>Other System Events</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-02T00:24:23.559228400Z'/><EventRecordID>7670651176</EventRecordID><Correlation/><Execution ProcessID='572' ThreadID='3136'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\NETWORK SERVICE</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>%%2432</Data><Data Name='KeyName'>le-a1f08494-0ec3-4902-9d6c-caeeda9ce4f6</Data><Data Name='KeyType'>%%2499</Data><Data Name='KeyFilePath'>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\222222222229530509a71f1</Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>

• Syslog - Apache Access Log

11 14 2013 17:19:04 1.1.1.1 <LOC5:INFO> Nov 14 22:19:04 USABLDRRECFLOW01access_http_log: [14/Nov/2013:22:19:04 +0000] 1.1.1.1 1.1.1.1 HTTP/1.1 "POST /foundation/getStandingsAjax.jsp HTTP/1.1" 2764 https://www.recordflow.biz

• Syslog – Crowdstrike Falconhost CEF

12 14 2016 11:39:44 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|DetectionSummaryEvent|Detection Summary Event|2| externalID=222222222222222222 cn2Label=ProcessId cn2=148191318711589 cn1Label=ParentProcessId cn1=148191316778231 shost=TheNarrowSea suser=IIS1$ msg=An administrative/reconnaissance tool (xcopy.exe, ping.exe, tasklist.exe, ftp.exe, autoruns.exe) was spawned under an IIS worker process. fname=systeminfo.exe filePath=\\Device\\HarddiskVolume1\\Windows\\System32 cs1Label=CommandLine cs1=systeminfo fileHash=59E0D058686BD35B0D5C02A4FD8BD0E0sntdom=TARGETNET cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/2222222222/2222222222 cn3Label=Offset cn3=1066147 deviceCustomDate1Label=ProcessStartTime deviceCustomDate1=2016-12-14 18:39:42