Offense prioritization
The magnitude rating of an offense is a measure of the importance of the offense in your environment. IBM® QRadar® uses the magnitude rating to prioritize offenses and help you to determine which offenses to investigate first.
The magnitude rating of an offense is calculated based on relevance, severity, and credibility.
- Relevance determines the impact of the offense on your network. For example, if a port is open, the relevance is high.
- Credibility indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. Credibility increases as multiple sources report the same event.
- Severity indicates the level of threat that a source poses in relation to how prepared the destination is for the attack.
QRadar uses complex
algorithms to calculate the offense magnitude rating, and the rating is re-evaluated when new events
are added to the offense and also at scheduled intervals. The following information is considered
when the offense magnitude is calculated:
- the number of events and flows that are associated with the offense
- the number of log sources
- the age of the offense
- the weight of the assets associated with the offense
- the categories, severity, relevance, and credibility of the events and flows that contribute to the offense
- the vulnerabilities and threat assessment of the hosts that are involved in the offense
The magnitude rating of an offense is the result of many factors and might not align to the magnitude of a single event. The QRadar magnitude algorithm is used on all offenses to set the offenses magnitude. A rule cannot explicitly set the value; it can contribute only to the calculation.