Skip to content

Commit 976c48f

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #266050 from batamig/patch-389
Sentinel - severity clarifications
2 parents 0a8f8ee + e5292a5 commit 976c48f

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

articles/sentinel/detect-threats-custom.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,17 @@ Analytics rules search for specific events or sets of events across your environ
3939

4040
[Incidents](investigate-cases.md) created from alerts that are detected by rules mapped to MITRE ATT&CK tactics and techniques automatically inherit the rule's mapping.
4141

42-
- Set the alert **Severity** as appropriate.
42+
- Set the alert **Severity** as appropriate, matching the impact the activity triggering the rule might have on the target environment, should the rule be a true positive.
4343

44+
- **Informational**. No impact on your system, but the information might be indicative of future steps planned by a threat actor.
45+
- **Low**. The immediate impact would be minimal. A threat actor would likely need to conduct multiple steps before achieving an impact on an environment.
46+
- **Medium**. The threat actor could have some impact on the environment with this activity, but it would be limited in scope or require additional activity.
47+
- **High**. The activity identified provides the threat actor with wide ranging access to conduct actions on the environment or is triggered by impact on the environment.
48+
49+
Severity level defaults are not a guarantee of current or environmental impact level. [Customize alert details](customize-alert-details.md) to customize the severity, tactics, and other properties of a given instance of an alert with the values of any relevant fields from a query output.
50+
51+
Severity definitions for Microsoft Sentinel analytics rule templates are relevant only for alerts created by analytics rules. For alerts ingested from from other services, the severity is defined by the source security service.
52+
4453
- When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
4554

4655
:::image type="content" source="media/tutorial-detect-threats-custom/general-tab.png" alt-text="Start creating a custom analytics rule":::

0 commit comments

Comments
 (0)