Rule Severity
Overview
Rule severities are used to help you prioritize alerts during the triage or investigation process.
You can think of severity as confidence-weighted impact, where confidence is how likely an alert is a true positive, and impact is the damage the attack the rule is designed to detect could cause.
Severities
critical
is used to identify rules related to CVEs, malware families, and threat actors.critical
alerts that were not auto-remediated should be reviewed immediately.critical
can also be used for high-confidence, high-impact alerts that you want prioritized over everything else that ishigh
.high
alerts that were not auto-remediated should be reviewed quickly.medium
alerts that were not auto-remediated should be reviewed frequently.low
alerts that were not auto-remediated should be reviewed regularly.
A given rule's severity may not be appropriate for everyone because organizations have different compensating controls. For example, a Microsoft 365 credential phishing attack may have a lower severity for organizations enforcing hardware-based MFA. The rules in the Sublime Rules Feed assume minimal compensating controls.
Updated almost 2 years ago