No "Critical" events from Suricata possible?

[DebianGuru]

I was looking to send only "critical" alerts via email to myself. But I noticed that I NEVER see any "Critical" alerts, except an occasional one from OSSEC which pops up when I run our internal security scans.

After reading#6395it appears that NOTHING from my ET ruleset is ever considered as Critical.

The post from defensivedepth says, "critical comes from Sigma, but suricata rules typically only have low/med/high.".

It appears that I'm going to have to dig into Playbook to figure out how this all works. Is this correct?

[InfosecGoon]

Suricata alerts, by default, come in high/medium/low severity. So you will not be able to generate emails when you get a critical NIDS alert because they don't exist.

Playbook alerts can be set to Critical, but Playbook is a different alerting mechanism -- rather than alerting on live network traffic events like Suriciata does, Playbook works by running stored queries against the logs in your Elasticsearch backend and generating an alert when something matches. It's a different workflow entirely.