Normalized severity scoresΒΆ
Investigator integrates Notices, Suricata, and ML alerts. Each of those sources calculates severity scores for alerts in their own way. Investigator normalizes scores from each source and maps the original scores into a comparable value ranging from 1 to 10, with 10 being the most critical.
Notices β Imported Notices scores range from 0 to 7, with 0 being the most critical. Investigator normalizes the scores according to this table.
Original severity
Normalized severity
0
10
1
9
2
8
3
4
4
2
5
1
6
1
7
1
Unknown
2
Suricata β Imported Suricata alert scores range from 1 to 4, with 1 being the most critical. Investigator normalizes Suricata alert scores according to this table.
Original severity
Normalized severity
1 (Critical)
8 (The alert review process can increase this score)
2 (Major)
6
3 (Minor)
3
4 (Informational)
2
Unknown
2 (Defaults to informational level)
ML models, generated by Investigator, range from 1 to 10, with 10 being the most critical