Technical Tip: How Rule Severities are defined in FortiSIEM

This explanation answers common questions about how rule severity levels are defined in FortiSIEM.

The event severity categories are broken down in one particular area and is used by several other areas.

For the rules, the event severity are from 1 to 10. This is broken down from 1 to 4 for 'Low', 5 to 8 for 'Medium', and 9 to 10 for 'High' respectively.

When an incident is generated, the event security is category is taken from the rule that was either created or enabled. The event security level is then decided by the user to determine how severe the rule should be. Each level or threshold of severity is incremented, rather than the basic 'low', 'medium', or 'high'. By adding sub levels of severity, it gives the User a bit more flexibility to decide that a 'low' 2 is not as severe as a 'low' 4. The numbers are boundaries to decide how much of an impact a particular incident should be assigned.

The deciding factor for all three threshold levels was decided by the development team.