Rule Severity
Overview
Rule severities are used to help you prioritize alerts during the triage or investigation process.
You can think of severity as confidence-weighted impact, where confidence is how likely an alert is a true positive, and impact is the damage the attack the rule is designed to detect could cause.
![severity chart.png 604](https://files.readme.io/dc760b4-severity_chart.png)
Severities
critical
is used to identify rules related to CVEs, malware families, and threat actors.critical
alerts that were not auto-remediated should be reviewed immediately.critical
can also be used for high-confidence, high-impact alerts that you want prioritized over everything else that ishigh
.high
alerts that were not auto-remediated should be reviewed quickly.medium
alerts that were not auto-remediated should be reviewed frequently.low
alerts that were not auto-remediated should be reviewed regularly.
A given rule's severity may not be appropriate for everyone because organizations have different compensating controls. For example, a Microsoft 365 credential phishing attack may have a lower severity for organizations enforcing hardware-based MFA. The rules in the Sublime Rules Feed assume minimal compensating controls.
Updated over 1 year ago