Alert Severity
Alert severity levels are a measurement of the impact an alert has on the business. Lacework's severity scoring algorithm applies a variable alert severity based on several factors, including:
- Number of involved entities.
- User attributes.
- Frequency of activity.
This means that alerts of the same name may have different severities if their event scores are different. For example, if a user associated with an alert has MFA enabled, Lacework reduces the alert severity due to the reduced probability that the activity is malicious (AWS & Google Cloud).
For threats identified through threat intelligence, alert severity is dynamically calculated. This approach assesses multiple threat intelligence providers that flag the Indicators of Compromise (IOCs) as malicious, facilitating a more precise threat assessment and prioritization. This method not only enhances accuracy but also reduces false positives, providing a more reliable alert system for our customers.
While the severity of an alert may not match the severity of the originating default policy due to the severity scoring algorithm described, Lacework never reduces alert severity for custom policies. Therefore, to prevent severity reduction for a particular policy, you can make a copy of the default policy. As a custom policy, the copy will not be subject to the scoring algorithm and therefor severity reduction. For information on custom policies, see Create a Policy.
The following table describes all severity levels.
| Severity | Description | Example |
|---|---|---|
| Critical | Alerts that need immediate attention. This might indicate that the system has failed or stopped responding. | Access level is not set to Private. |
| High | Alerts that indicate a problem, but do not require immediate attention. | Storage logging is not enabled for Queue service read, write, and delete requests. |
| Medium | Alerts that provide forewarning of potential problems, although not an actual error. These events might lead to displaying errors or critical events. | Guest account with owner permissions should be removed from subscription. |
| Low | Alerts with minor impact. | S3 bucket does not have auditing enabled. |
| Info | Alerts that provide informational messages that might be helpful to you. | No support role has been created to manage incidents with AWS Support. |
To learn more about the alert severity for known threats via threat intel, see Advantages of Threat Intel Alerts.