Severity Mapping
The Severity Mapping section provides a severity mapping capability in order to further
categorize (or normalize) each event. For example,
severity.map.low.if.deviceSeverity.
FlexConnector severity mapping must be flexible because not all devices will report severity, or use the same format even with devices of the same type. Some use a scale of 0 to 10 levels. Devices that don’t really provide a severity-oriented field require that you map severity to an action, or some other event-specific field.
Your severity mappings can also reflect your environment. You might want to consider what would normally be a Medium or Low severity event as Very-High simply because it shouldn’t be there to begin with. Or, the opposite: you might lower the severity because the event represents a normal situation on your network. As a general rule, map severity as accurately as possible and use Filters to ignore noise and Rules to respond to specific incidents.
Given the possibilities for Connector Severity mapping mentioned above you should cover all of the possible values of a device severity with a severity map line. All of the mappings follow the same syntax:
severity.map.agent_severity.if.deviceSeverity=value
In this case, agent_severity will be one of very high, high, medium or low and value can
either be a comma-separated list of values or use the “..” notation for ranges of values.
Examples
severity.map.veryhigh.if.deviceSeverity=OPEN-INBOUND severity.map.low.if.deviceSeverity=DROP severity.map.medium.if.deviceSeverity=OPEN,CLOSE severity.map.high.if.deviceSeverity=400..599 severity.map.medium.if.deviceSeverity=300..399 severity.map.low.if.deviceSeverity=100..299
This table lists severity mappings:
| ArcSight Severity | Property |
|---|---|
| Very High | severity.map.veryhigh.if.deviceSeverity |
| High | severity.map.high.if.deviceSeverity |
| Medium | severity.map.medium.if.deviceSeverity |
| Low | severity.map.low.if.deviceSeverity |
These properties cause the ArcSight Severity to be set to a specific level if the Device Severity is one of the values specified. For example:
severity.map.veryhigh.if.deviceSeverity=404,500
This would cause a Very High severity event when the status of the request was 404 or 500.
severity.map.medium.if.deviceSeverity=303,302
This would cause a Medium severity event when the status of the request was 303 or 302.
severity.map.low.if.deviceSeverity=200..204
This would cause a Low severity event when the status of the request was 200, 201, 202, 203, or 204.