The way that QRadar assigns severity is based on the QID. So each event that has a specific event name gets mapped to a specific QID, then gets a specific severity. This is a very good model for many scenarios. However, there are other situations that require parsing the severity out of the event and overriding the QID set severity. For example, you may get a more generic QID like “Threat Detected”. These all get put in at a high severity, which throws off several out-of-the-box rules and makes your magnitude score less useful.
To change this, it will take several steps. First you must create a Custom Extracted Property to pull out the new severity. Be sure to check the box for “Optimize for rules and reports”. I’ll use Snort and Palo Alto as an example. I created a new property called “Event Severity” and used this regex:
Here’s one for Palo Alto:
Snort uses a number 1-5 and Palo Alto has 5 different text strings (low, medium, high, etc.). The next step is to create five rules for each log source type. Here’s an example of the snort rule.
Apply Snort Severity Adjustment – 1 on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches Priority is 1
Or Palo Alto:
Apply PASeries Severity Adjustment – Low on events which are detected by the Local system
and when the event(s) were detected by one or more of Palo Alto PA Series
and when the event matches PA Severity is low
The rule response for these rules is to set the Severity to the appropriate number and annotate the event. Both of these examples have 5 levels of severity, so I used 2, 4, 6, 8, and 10 in QRadar. Create all five rules and you are set!
Now you should get better magnitude scores and less false positives from rules like “Exploit: Exploits Events with High Magnitude Become Offenses”.