Severity scores indicate the relative importance of an alert.
Click the S column to sort the alerts in your queue by severity score and identify which alerts might require immediate attention.
CB Analytics - Alert severity
Alert severity indicates the relative importance of a CB Analytics alert.
-
Severity 1-2: Activities such as port scans, malware drops, changes to system configuration files, persistence, etc.
-
Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc.
-
Severity 6-10: Activities such as reverse command shells, process hollowing, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc.
Watchlists - Report severity
Report severity indicates the relative importance of threat report within a Watchlists alert.
The severity of a report is determined by the creator of the report. If you create your own report, you can determine the report's severity, with 1 being the least severe, and 10 being the most severe.
Target value
The target value acts as a multiplier when calculating the threat level of an alert. Target values are defined by the policy to which an endpoint belongs.
The target value is indicated by the number of filled bars under the T column in the alerts table.
-
Low: One bar. Results in a lower threat level.
-
Medium: Two bars. The baseline target value; does not add a multiplier.
-
High/Mission Critical: Three or four bars. Both values increase the threat level under the same circumstances. You may see two or more alerts with identical descriptions but with different alert severities.