cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 13

Severity Levels: How are they determined?

Jump to solution

Hey all,

Does anyone know how the severity levels are determined?  We are trying to correlate the severity of Windows Events with the severity levels in LEM, so we can build a filter for just critical and warning events.  Seems that informational at least comes in as two separate numbers, so I am wondering if it is determined by something else.  There are more levels of severity in LEM (7 I believe) than in Windows.  Any information around this would be helpful!

Thanks,

Chrystal Taylor

http://www.loop1systems.com


Chrystal Taylor | Head Geek
0 Kudos
1 Solution

We have a couple of out of the box filters that try to capture generic warnings/critical events - where we have generic coverage for these events they have the word "Error" "Warning" "Critical" in EventInfo. They are mapped to the ServiceWarning event, which is LEM severity 4.

General guide:

  • 0: InternalException
  • 1-2: All Internal (including audit, logons, logon failures, updates, NTD, etc)
  • 3: Most of Audit (including logon, user changes, group changes, file audits, traffic audits, software update, asset alerts), Incident
  • 4: Parts of Audit (including a few of the user/group change alerts, user disable, all of process auditing, policy modifications, service warning)
  • 5: Parts of Security (including recon and scan, unusual traffic)
  • 6: Parts of Security (including attacks, denial of service)

In the attachment, there are a few "Empty" events (retired old events) and some events that are only used internally to LEM.

View solution in original post

5 Replies
Level 11

Thanks Nic....Will implement severity concept..

0 Kudos
Product Manager
Product Manager

The severity levels are determined by the categorization of the event - i.e. the "Event Name" and where it's located in the LEM event taxonomy. Most "Audit" alerts are lower severities while most "Security" alerts are higher severities, for example. If it would help, I can give you a list of what each LEM event's severity is.

Thanks, Nicole!  That would be really helpful.  Like, I said we are basically trying to set up filters for Warning and Critical events on Windows nodes.

Thanks,

Chrystal Taylor

http://loop1systems.com


Chrystal Taylor | Head Geek
0 Kudos

We have a couple of out of the box filters that try to capture generic warnings/critical events - where we have generic coverage for these events they have the word "Error" "Warning" "Critical" in EventInfo. They are mapped to the ServiceWarning event, which is LEM severity 4.

General guide:

  • 0: InternalException
  • 1-2: All Internal (including audit, logons, logon failures, updates, NTD, etc)
  • 3: Most of Audit (including logon, user changes, group changes, file audits, traffic audits, software update, asset alerts), Incident
  • 4: Parts of Audit (including a few of the user/group change alerts, user disable, all of process auditing, policy modifications, service warning)
  • 5: Parts of Security (including recon and scan, unusual traffic)
  • 6: Parts of Security (including attacks, denial of service)

In the attachment, there are a few "Empty" events (retired old events) and some events that are only used internally to LEM.

View solution in original post

Thank you, Nicole!


Chrystal Taylor | Head Geek
0 Kudos