A rating that indicates the urgency and
impact of the match. The severity level indicates the extent of
damage or escalation pattern, and the frequency of occurrence. Because
correlation objects are primarily for detecting threats, the correlated
events typically relate to identifying compromised hosts on the
network and the severity implies the following: Critical—Confirms
that a host has been compromised based on correlated events that
indicate an escalation pattern. For example, a critical event is
logged when a host that received a file with a malicious verdict
by WildFire exhibits the same command-and-control activity that
was observed in the WildFire sandbox for that malicious file. High—Indicates that a host is very
likely compromised based on a correlation between multiple threat
events, such as malware detected anywhere on the network that matches
the command-and-control activity generated by a particular host. Medium—Indicates that a host is likely
compromised based on the detection of one or multiple suspicious
events, such as repeated visits to known malicious URLs, which suggests
a scripted command-and-control activity. Low—Indicates that a host is possibly
compromised based on the detection of one or multiple suspicious
events, such as a visit to a malicious URL or a dynamic DNS domain. Informational—Detects an event that
may be useful in aggregate for identifying suspicious activity,
but the event is not necessarily significant on its own.
|