Dynamically setting 'severity'

samryanturner · 04-07-2025 07:24 AM

Are you able to dynamically set the severity associated with a detection rule based upon conditions in the outcome section?

Something like -

  outcome:
    $severity = if ($command_line = "safe_program.exe", "INFORMATIONAL", "HIGH")

JeremyLand

The severity value displayed on the rule dashboard, alerts queue, and case - 'alert details' tab gets set in the 'meta' section of a rule (or by the chronicle connector if the tag is missing in the rule) and can't be modified in the outcome section.

Instead you should modify the risk_score from the outcome, and that value will be represented on the alerts queue and the case - 'alert details' tab, and contributes to risk analytics.

Think of 'severity' as the max impact of the technique you are detecting, and the risk_score as a combination of the likelihood and impact.

JStoner talks through this and gives a demonstration on dynamically setting the risk_score here: https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Out...

_jc_

To add to this conversation, I've had the same use case recently and ultimately had to achieve the objective using a SOAR playbook block to read the event_securityResult_1_severity field and map a severity depending on the value in that ENUM.

A solution in YARA-L would feel cleaner, especially as it nearly had the caapbility with the risk_scores, which doesn't change the SOAR case priority, which from analyst's perspective is quite important. Being able to load a $severity variable in the outcome section and then load into metadata with something like "severity = $severity" was something I tested for and would feel like a good solution.

samryanturner

Nice! I'll do the same my side. I agree though, a transparent way to set this in the YARA-L would be awesome.

The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms.

Read more and check out our FAQ.

Dynamically setting 'severity'