Severity Score
When calculating the severity of an incident we are taking into account a variety of factors, such as:
The criticality of the detection that triggered the incident (every suspicious / malicious behavior has its own rating).
The amount of alerts flagged by the GravityZone prevention engines on the trigger node.
The prevention engine that identified the trigger alert.
The distance between the trigger node and the root of the incident (how many artifacts were involved on the path to triggering the incident).
The MITRE ATT&CK techniques identified by the EDR correlation technology.
The presence of a bruteforce attack.
The Company Risk Score calculated by the Endpoint Risk Analytics (ERA) module.
EDR rates an incident with the highest severity score (100) if all of the following conditions are met:
The incident includes a ransomware alert.
The trigger node has more than 5 alerts flagged by the GravityZoneprevention engines.
The prevention engine that identified the trigger alert is: Antimalware, Advanced Threat Control, HyperDetect, Advanced Anti-Exploit, or Fileless Attack Protection.
The Critical path of the incident contains more than 10 nodes.
The MITRE ATT&CK techniques identified by the EDR correlation technology on one of the nodes is: Exfiltration, Lateral Movement, Persistence, Privilege Escalation, Impact, or Credential Access.
The host of the triggered incident is a server.
The remote IP of a domain node was submitted to a bruteforce attack.
The blocking of the malicious attack has failed.
The Company Risk Score was above 70 at the time the severity score was being calculated.
The Severity Score of an incident will drop by 30% if all the detected malicious activities are blocked successfully.
When the host of the triggered incident is a server:
If the Severity Score is already 15, it will go up by 10.
If the Severity Score is lower than 15, it will go up to 15.