Severity reflects the relative importance of security-sensitive activity detected by a KUMA correlator. It suggests the order in which alerts should be processed, and indicates whether senior security officers should be involved.
The correlator automatically assigns a severity value to correlation events and alerts based on correlation rule settings. The severity of an alert also depends on the assets linked to the events being processed because correlation rules take into account the severity of these assets' category. If the alert or correlation event does not have linked assets with a defined severity or does not have any related assets at all, the severity of this alert or correlation event is equal to the severity of the correlation rule that triggered them. The alert or the correlation event severity is never lower than the severity of the correlation rule that triggered them.
If the event is linked to assets, the system uses the highest-severity asset category to calculate the severity of the correlation event or alert:
Example of formula for calculating the severity:
The severity of the correlation event can never be lower than the severity of the correlation rule. The correlator and collector must belong to the same tenant as the assets. Severities of the assets from other tenants are not taken into account. |
Alert severity can be changed manually. The severity of alerts changed manually is no longer automatically updated by correlation rules.
Possible severity values: