Solved: Re: Why in a curated detection severity is not equ...

MikelSA · 02-20-2025 07:22 AM

Hi, i was wondering why sometimes in the curated detection rules, for example, severity is medium and Incident criticality level is only informational?

Any ideas?

Thanks!

jstoner

I did a bit of digging and I believe that the rule you are alerting on has a severity of Info on it which aligns to your dot in the alert tab you pointed toward. The risk score in the rule is set to 35 which also aligns to the risk score you are showing.

It appears that the Google Chronicle Alert connector had an issue that the Fallback Severity in the connector was taking precedence over the severity that was in the rule.

The upcoming version of the alert connector in the marketplace v52 should resolve this issue and should be available next week.

More broadly, we are taking the value in the severity field within the rule and mapping it to the field alert.priority so any playbook integration or viewing of that field can be found there. That value is being mirrored in the Threat section in an investigation which is where the problem is arising.

If you modify the priority in a case, the priority will be the only value impacted, the severity will remain what it was initially.

Hope this clarifies at least a few things.

View solution in original post

kentphelps

Have you reviewed this document - https://cloud.google.com/chronicle/docs/detection/risk-analytics-overview

jstoner

Can you provide a specific example? As I look at curated detections, I know alerts are generated with priority, severity and a risk score but incident criticality does not sounds like something we are generating there. In the Case Management side, we have case and alert priority (info to critical) and then the ability to change the case stage to Incident which is independent of the priority. I realize that is a bunch of stuff I just threw out there, but if you can point me to an example, I'd be happy to look into it a bit further.

MikelSA

Sure, I provide you some example, maybe you can explain how this works!

Thanks!

jstoner

I did a bit of digging and I believe that the rule you are alerting on has a severity of Info on it which aligns to your dot in the alert tab you pointed toward. The risk score in the rule is set to 35 which also aligns to the risk score you are showing.

It appears that the Google Chronicle Alert connector had an issue that the Fallback Severity in the connector was taking precedence over the severity that was in the rule.

The upcoming version of the alert connector in the marketplace v52 should resolve this issue and should be available next week.

More broadly, we are taking the value in the severity field within the rule and mapping it to the field alert.priority so any playbook integration or viewing of that field can be found there. That value is being mirrored in the Threat section in an investigation which is where the problem is arising.

If you modify the priority in a case, the priority will be the only value impacted, the severity will remain what it was initially.

Hope this clarifies at least a few things.

MikelSA

Okai! Now I understand a little bit more.

Thank you so much!

Check out the new Professional Security Operations Engineer certification beta!

Why in a curated detection severity is not equal as Incident criticality level