Pinned topic Tuning Magnatude via Credibility
I haven't found good documentation that talks about how this works. Or anything that talks about when I should consider altering these metrics (or even IF I should be doing that). Out-of-the-box Magnatude Adjustments seem focused entirely on Relevance. Is there a good reference that I'm overlooking? Am I looking at doing this the wrong way (I thought that thresholds might be less elegant)?-------Posted BY Paul Hosking
SystemAdmin 110000D4XK276 Posts
Re: A guide to the rules would help2012-11-20T21:24:55ZThis is the accepted answer. This is the accepted answer.You've probably already worked this out for yourself, but just to be clear, "Magnitude" is calculated simply as Relevance + Severity + Credibility / 3.
I know of three "... with High Magnitude Become Offenses" rules:
DoS: DoS Events with High Magnitude Become Offenses
DDoS: DDoS Events with High Magnitude Become Offenses
Exploit: Exploits Events with High Magnitude Become Offenses
Apply BB:CategoryDefinition: High Magnitude Events on events which are detected by the Local systemNote that those AND-ed together (not OR).
and when the event severity is greater than 8
and when the event credibility is greater than 8
and when the event relevance is greater than 8
Then there is a whole group of "Magnitude Adjustment" rules for context, source, and destination.
I can't say I've gotten a lot of use of of any of this, but I want to.
I want to have my system tuned up such that magnitude is a useful guide for "which offense is most important".
But I don't feel like I'm there yet.
Having some documentation from Q1 on the intent behind the rules would really help.
For example, apart from "relevance > 7" means offense, I have no idea how to gauge relevance.
I don't know how, in an objective and measurable way, to choose between a relevance of, say, 5 and 6.
Posted By travis.mcwaters
- DoS: DoS Events with High Magnitude Become Offenses
paulfh 270001A0DN1 Post
Clarification on Event and Offense Magnitudes2016-03-24T11:53:43ZThis is the accepted answer. This is the accepted answer.
Just for clarification, there are Event Magnitudes and Offense Magnitudes.
For a discussion about Offense Magnitudes, please see this thread: https://www.ibm.com/developerworks/community/forums/html/topic?id=a2460ae5-d3ad-455e-9d4d-125421bfde39
Event Magnitudes are calculated as a weighted mean (https://en.wikipedia.org/wiki/Weighted_arithmetic_mean) of the three properties Severity, Credibility and Relevance of the Event.