Priority Rating
The priority of an event is a calculated overall rating based on agentSeverity adjusted by Model Confidence, Relevance, Severity, and Criticality using a detailed formula. (See Priority Calculations and Ratings.) All four factors are fields in the event schema, and can thus be used in correlation.
The priority rating is color coded and displayed in Active Channels. You can sort events in the grid view according to priority. Priority is a good basis for deciding what to look at first in your event monitoring workflow, and priority is one of many useful criteria on which to build filters, rules, reports, and data monitors.
Priority Ratings in Active Channels: The Priority column in the default live channel view shows the overall priority rating for each event based on calculations from the other five priority criteria.
The score and color scale used in the priority display are as follows:
|
Priority |
Color |
Description |
|---|---|---|
|
0-2 |
Green
|
Very low. This event is likely a routine function, such as routine file access or a successful authentication by an authorized user. An event that may have started out with a higher priority can become very low priority when it is proved to have failed. |
|
3-4 |
Blue
|
Low. This event is likely a common function, such as a setting change or a scheduled system scan. |
|
5-6 |
Yellow
|
Medium. This event is a potential concern, such as pre-attack scan activity, policy violations, and identified vulnerabilities. Medium priority events are often hostile attempts whose success or failure is not confirmed. |
|
7-8 |
Orange
|
High. This event is a concern, such as attack formations, potential breaches, or misuse, including traffic to a dark address space, incorrect registry values, or a SYNFlood. |
|
9-10 |
Red
|
Very high. This event is a grave concern, such as verified breaches or a DHCP packet that does not contain enough data. Items with a very high priority should be investigated immediately. |
