How do elastic Apply Severity to pre-built rules?

How is the pre-built detection rules severity worked out, is it a random number or is there some documented framework i cant seem to find any notes on it?

Hey there @Oliver2 :wave: Thanks for posting!

While I couldn't find any documents referencing specific mappings from say MITRE Tactics and Techniques to a certain Severity/Risk Score, we do document a bit of our philosophy around Rule Development and what makes a good rule over here in the detection-rules repo. From there, it's a combination of author interpretation, categorization and expertise as well.

Hope that helps! Cheers!


Just to add some on top of Garrett's response based on my years' experience working on SOC center for large enterprises, risk score should contain two parts

  • how likely it is going to be true attack
  • what is the impact of this attack to your own environment
    Besides, risk score should be dynamic changing to reflect the changes in environment and resolutions of similar alerts.
    The built in rules have set up a good foundation but may need customization for your own environment.

This blog may be relevant. Don't take security risk score personally

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.