Skip to main content

Severity Score

When calculating the severity of an incident we are taking into account a variety of factors, such as:

  • The criticality of the detection that triggered the incident (every suspicious / malicious behavior has its own rating).

  • The amount of alerts flagged by the GravityZone prevention engines on the trigger node.

  • The prevention engine that identified the trigger alert.

  • The distance between the trigger node and the root of the incident (how many artifacts were involved on the path to triggering the incident).

  • The MITRE ATT&CK techniques identified by the EDR correlation technology.

  • The presence of a bruteforce attack.

  • The Company Risk Score calculated by the Endpoint Risk Analytics (ERA) module.

EDR rates an incident with the highest severity score (100) if all of the following conditions are met:

  • The incident includes a ransomware alert.

  • The trigger node has more than 5 alerts flagged by the GravityZoneprevention engines.

  • The prevention engine that identified the trigger alert is: Antimalware, Advanced Threat Control, HyperDetect, Advanced Anti-Exploit, or Fileless Attack Protection.

  • The Critical path of the incident contains more than 10 nodes.

  • The MITRE ATT&CK techniques identified by the EDR correlation technology on one of the nodes is: Exfiltration, Lateral Movement, Persistence, Privilege Escalation, Impact, or Credential Access.

  • The host of the triggered incident is a server.

  • The remote IP of a domain node was submitted to a bruteforce attack.

  • The blocking of the malicious attack has failed.

  • The Company Risk Score was above 70 at the time the severity score was being calculated.

The Severity Score of an incident will drop by 30% if all the detected malicious activities are blocked successfully.

When the host of the triggered incident is a server:

  • If the Severity Score is already 15, it will go up by 10.

  • If the Severity Score is lower than 15, it will go up to 15.