Rule Severity

Overview

Rule severities are used to help you prioritize alerts during the triage or investigation process.

You can think of severity as confidence-weighted impact, where confidence is how likely an alert is a true positive, and impact is the damage the attack the rule is designed to detect could cause.

604604

Severities

  • critical is used to identify rules related to CVEs, malware families, and threat actors. critical alerts that were not auto-remediated should be reviewed immediately. critical can also be used (responsibly) for high-confidence, high-impact alerts that you want prioritized over everything else that is high.
  • high alerts that were not auto-remediated should be reviewed quickly.
  • medium alerts that were not auto-remediated should be reviewed frequently.
  • low alerts that were not auto-remediated should be reviewed regularly.

A given rule's severity may not be appropriate for everyone because organizations have different compensating controls. For example, a Microsoft365 credential phishing attack may have a lower severity for organizations enforcing hardware-based MFA. The rules in the Sublime Rules Feed assume minimal compensating controls.