Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Normalize Third-Party EDR Alert Severity to Elastic’s Severity Scale #12662

Open
7 tasks
raqueltabuyo opened this issue Feb 7, 2025 · 1 comment
Open
7 tasks

Normalize Third-Party EDR Alert Severity to Elastic’s Severity Scale #12662

raqueltabuyo opened this issue Feb 7, 2025 · 1 comment
Labels
impact:high Short-term priority; add to current release, or definitely next. Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]

Comments

@raqueltabuyo
Copy link

raqueltabuyo commented Feb 7, 2025
edited
Loading

Normalize Third-Party EDR Alert Severity to Elastic’s Severity Scale

Summary

Currently, third-party EDR integrations (e.g., Microsoft Defender for Endpoint, SentinelOne, CrowdStrike) use different severity scales. However, when their data is ingested into Elastic Security, there have been inconsistencies in how severity values are mapped, leading to incorrect severity assignments instead of aligning with Elastic's predefined scale.

This issue proposes applying a standardized transformation to normalize severity values before parsing data into ECS, ensuring consistency across all alerts.

Problem Statement

Elastic Security assigns fixed numeric values for event.severity, as defined in the official Elastic Security detection rules:

  • 21 = Low
  • 47 = Medium
  • 73 = High
  • 99 = Critical

Risk Score

However, each third-party EDR uses its own severity scale, and there is no uniform approach to parsing these values into ECS. In some cases, severity has been incorrectly assigned or inconsistently mapped instead of following Elastic’s standardized scale.

For example:

  • Microsoft Defender for Endpoint (MDE) and M365 Defender use a Informational, Low, Medium, High scale. MDE Severity
  • SentinelOne: uses Low, Medium, High, and Critical.
Image

  • CrowdStrike: uses Info, Low, Medium, High, and Critical. Crowdstrike Severity mapping

  • These integrations have assigned default values or mapped severities in a way that does not align with Elastic’s scale.

As a result, alerts from these sources may not reflect their actual severity, impacting prioritization and response workflows.

Proposed Solution

Apply severity transformation rules to normalize third-party severity values before parsing them into ECS, ensuring they align with Elastic’s official severity scale.

Implementation Steps

  1. Analyze current mappings used for MDE, SentinelOne, and CrowdStrike.
  2. Define a standardized transformation for each integration, ensuring alignment with the official Elastic event.severity scale.
  3. Implement transformation logic in the ingestion pipeline to convert third-party severity names (String) to Elastic’s numeric scale.
  4. Test severity mappings with sample alerts to validate accuracy.
  5. Document the severity mappings to ensure consistency for future integrations.

Example Mapping for SentinelOne

SentinelOne Severity Elastic Severity event.severity
Low 21 (Low) event.severity=21
Medium 47 (Medium) event.severity=47
High 73 (High) event.severity=73
Critical 99 (Critical) event.severity=99

Similar mappings will be created for Microsoft Defender for Endpoint (MDE) and CrowdStrike once their scales are validated. In the case there are Informational and Low severity levels, use the same value (21) for both.

Acceptance Criteria

  • Identify and correct inconsistencies in severity mapping for MDE, SentinelOne, and CrowdStrike.
  • Standardize transformation rules to align third-party severities with Elastic’s event.severity scale, as referenced in Elastic Detection Rules.
  • Implement the transformation logic in the ingestion pipeline.
  • Validate the mapping using test alerts to ensure proper severity classification.
  • Document severity mappings for future reference.

Future actions

  • Identify and correct inconsistencies in severity mapping for other integrations.
  • Follow the same process as above for new inconsistencies.

Examples

Image

Image

Image

Image

Image

Image
@raqueltabuyo raqueltabuyo added Integration:crowdstrike CrowdStrike impact:critical Immediate priority; high value or cost to the product. Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft M365 Defender Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Feb 7, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@raqueltabuyo raqueltabuyo added impact:high Short-term priority; add to current release, or definitely next. and removed impact:critical Immediate priority; high value or cost to the product. labels Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact:high Short-term priority; add to current release, or definitely next. Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elasticmachine @raqueltabuyo