The magnitude rating of an offense is a measure of the importance of the offense in your environment. JSA uses the magnitude rating to prioritize offenses and help you to determine which offenses to investigate first.
The magnitude rating of an offense is calculated based on relevance, severity, and credibility.
Relevance determines the impact of the offense on your network. For example, if a port is open, the relevance is high.
Credibility indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. Credibility increases as multiple sources report the same event.
Severity indicates the level of threat that a source poses in relation to how prepared the destination is for the attack.
JSA uses complex algorithms to calculate the offense magnitude rating, and the rating is re-evaluated when new events are added to the offense and also at scheduled intervals. The following information is considered when the offense magnitude is calculated:
the number of events and flows that are associated with the offense
the number of log sources
the age of the offense
the weight of the network object associated with the offense
the categories, severity, relevance, and credibility of the events and flows that contribute to the offense
the vulnerabilities and threat assessment of the hosts that are involved in the offense
The magnitude rating of an offense is different from the magnitude rating for an event. You can influence the magnitude of an offense by setting the event magnitude in the rule actions, but you cannot bypass the JSA algorithms to set the offense magnitude yourself.