Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Clarify event.severity Description to Recommend Elastic Security Scale #2446

Open
raqueltabuyo opened this issue Feb 13, 2025 · 7 comments
Open

[Enhancement] Clarify event.severity Description to Recommend Elastic Security Scale #2446

raqueltabuyo opened this issue Feb 13, 2025 · 7 comments
Labels
enhancement New feature or request

Comments

@raqueltabuyo
Copy link

raqueltabuyo commented Feb 13, 2025
edited
Loading

Clarify event.severity Description to Recommend Elastic Security Scale

Summary

The current description of event.severity does not clearly specify a recommended scale, leading to inconsistent mappings across third-party integrations. This issue proposes updating the event.severity description to explicitly recommend following Elastic Security’s standardized severity scale:

  • Low = 21
  • Medium = 47
  • High = 73
  • Critical = 99

Risk score

This clarification will help ensure consistency in severity representation across Elastic Security environments.

Motivation

Currently, the lack of a standardized reference in the event.severity description has led to inconsistent implementations across different integrations. Developers working on third-party data ingestion have mapped severity values based on their own interpretations, leading to misaligned severities across alerts.

For example, some integrations have been assigned a different numeric scale (e.g., Microsoft Defender for Endpoint currently has 1-4, while SentinelOne and CrowdStrike have assigned other different scales), which results in incorrect severity representations in Kibana.

By explicitly recommending the Elastic Security severity scale, developers will have a clear reference to correctly map third-party severities, ensuring a consistent experience across all sources.

Detailed Design

Proposed Changes to event.severity Description:

Current Description:

The numeric severity of the event according to your event source.

What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source.

The Syslog severity belongs in log.syslog.severity.code. event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity.

Proposed Updated Description:

The numeric severity of the event according to your event source.

To ensure consistency across Elastic Security, it is recommended to map severity values to the Elastic Security severity scale:

  • Low = 21
  • Medium = 47
  • High = 73
  • Critical = 99

This ensures uniform severity representation across different event sources. Implementers should normalize third-party severities to this scale when possible.

The Syslog severity belongs in log.syslog.severity.code. event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity.

Example Values:

Third-Party Source Original Severity Recommended event.severity Mapping
Microsoft Defender for Endpoint Informational 21 (Low)
Microsoft Defender for Endpoint Low 21 (Low)
Microsoft Defender for Endpoint Medium 47 (Medium)
Microsoft Defender for Endpoint High 73 (High)
SentinelOne Low 21 (Low)
SentinelOne Medium 47 (Medium)
SentinelOne High 73 (High)
SentinelOne Critical 99 (Critical)

This update will provide clear guidance to developers, reducing mapping inconsistencies and ensuring a standardized severity approach across Elastic Security.
@raqueltabuyo raqueltabuyo added the enhancement New feature or request label Feb 13, 2025
@approksiu
Copy link

I think there is a confusion here between severity and risk score. Severity options: low, medium, high, critical. Risk score - scale from 1 to 100. In the prebuilt detection rules we use the following mapping:

  • low - 21
  • medium - 47
  • high - 73
  • critical - 99

@raqueltabuyo
Copy link
Author

raqueltabuyo commented Feb 25, 2025
edited
Loading

Thanks @approksiu , sorry if it was not clear enough. The issue here is that severity is a numerical value so we are proposing adding a recommendation in the ECS documentation inside the event.severity description to follow the same mapping as the prebuilt detection rules, in that way we can avoid future issues due to inconsistencies between the data ingested and the rules.

@MikePaquette
Copy link
Contributor

Thanks team, I think a standard way to map the provided data source severity value to event.severity is a good enhancement to ECS, and updating all our integrations to follow this standard mapping would be a good improvement to our users' experience.

A few suggestions:

  1. Let's consider adding this as a recommendation, rather than a breaking change. There is a precedent for ECS making a recommendation (e.g., event.dataset)
  2. We should provide guidance for when the source severity field is numeric - do we pass it along to event.severity (this seems like the original intent of event.severity.) Or do we "round up" numeric values to the next defined value? (See the diagram below for the impact to detection alerts when the detection rule severity override is set if we don't do this "round up.")

Image

@approksiu
Copy link

Thanks @approksiu , sorry if it was not clear enough. The issue here is that severity is a numerical value so we are proposing adding a recommendation in the ECS documentation inside the event.severity description to follow the same mapping as the prebuilt detection rules, in that way we can avoid future issues due to inconsistencies between the data ingested and the rules.

I see I looked at the alert severity.

@raqueltabuyo
Copy link
Author

raqueltabuyo commented Feb 26, 2025
edited
Loading

@MikePaquette great points, below my answers.

Thanks team, I think a standard way to map the provided data source severity value to event.severity is a good enhancement to ECS, and updating all our integrations to follow this standard mapping would be a good improvement to our users' experience.

A few suggestions:

  1. Let's consider adding this as a recommendation, rather than a breaking change. There is a precedent for ECS making a recommendation (e.g., event.dataset)

The breaking change is not for the description but the fact that some customers might use the current values of event.severity for some integrations. For example, the current value of event.severity for high alerts in Microsoft defender for Endpoint integration is 4, a customer could have already created a custom rule with the value of 4. If we modify that value from 4 to 73, that specific custom rule will be affected by this change.

  1. We should provide guidance for when the source severity field is numeric - do we pass it along to event.severity (this seems like the original intent of event.severity.) Or do we "round up" numeric values to the next defined value? (See the diagram below for the impact to detection alerts when the detection rule severity override is set if we don't do this "round up.")>
    Image

Great point, definitely we need to transform those numeric values too. I think it would be more exceptional but it would be good to know the scale of that specific third party in advance, before any mapping. Usually if the scale is from 0-10, they would probably follow CVSS scale. Therefore, if we have numeric values as the original source, we can:

  • Consider CVSS if the scale is 0-10 and match it to the corresponding CVSS 3x/4x Severity, after that, transform it to the corresponding Elastic severity. Example: source severity=7.8--> cvss_severity=High --> event.severity=73.
  • If it is a different scale, refer to the third party documentation and map event.severity to the corresponding severity.
  • If it is a different scale and there is no documentation, round up event.severity to the nearest value.

@MikePaquette
Copy link
Contributor

The breaking change is not for the description but the fact that some customers might use the current values of event.severity for some integrations. For example, the current value of event.severity for high alerts in Microsoft defender for Endpoint integration is 4, a customer could have already created a custom rule with the value of 4. If we modify that value from 4 to 73, that specific custom rule will be affected by this change.

OK, so there is no breaking change to ECS, but each integration that changes its behavior may constitute a breaking change for the integration, right?

@raqueltabuyo
Copy link
Author

The breaking change is not for the description but the fact that some customers might use the current values of event.severity for some integrations. For example, the current value of event.severity for high alerts in Microsoft defender for Endpoint integration is 4, a customer could have already created a custom rule with the value of 4. If we modify that value from 4 to 73, that specific custom rule will be affected by this change.

OK, so there is no breaking change to ECS, but each integration that changes its behavior may constitute a breaking change for the integration, right?

Yes, that's exactly the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MikePaquette @approksiu @raqueltabuyo