The easiest method is to know what sort of alerts you might expect and set a static classification for them.
For instance, I know that I will get alerts for the Antivirus Service stopping. That's a Critical Sev because that is a critical component.
I'll get an alert if Antivirus fails to scan a file. That's Medium Sev or High Sev if the file was downloaded from unfamiliar source.

Also, many alerting entities bring in their own severity or magnitude and you could base off of that.

But, you may want to dynamically set a severity based on observations.

For that, you would want to create a threat matrix of sorts. And sit down with architects and leadership to determine the the severity of an Event + an Asset
You could get pretty simple with 3 classifications based on perceived Impact

Like this image below.

Then from there you'd want to perhaps keep a Custom List of Critical Assets.
Then a playbook could shape the Severity based on the event and the asset. For example, if the Event is "Newly Observed SSH Connection" and the Asset is "Domain Controller 01", well that could have a major impact. Critical Severity.

If the same event, but it's a laptop with no permissions. That'd be low impact.

View files in slack