Severity Constants

In recent releases, a new severity and risk indicator range was employed such that severity is now defined as a value (including decimals) between 0 and 1. The previous range was a positive integer value between 1-4.

The new severity range mapping is as follows:

• Previous alert severity 1 (high) now maps to [0.75, 1.0]

• Previous alert severity 2 (medium) maps to [0.5, 0.75]

• Previous alert severity 3 (low) maps to [0, 0.5]

In the “incident” and “event” search queries the results will have a severity/risk greater than or equal to the minimum severity/risk value, and strictly less than the severity/risk value, except when the minimum severity/risk value is 0 or the maximum severity risk value is 1, in which case the results will have severity/risk greater than 0 and less than or equal to 1.

For example, to return all non-benign incidents or events, set the minimum risk/severity value to 0 and the maximum value to 1.

As a special case, to search for all clean/benign events, specify a minimum severity of 0 and maximum severity of 0.