The magnitude rating of an offense is a measure of the importance of the offense in your environment. IBM® QRadar® uses the magnitude rating to prioritize offenses and help you to determine which offenses to investigate first.
- Relevance determines the impact of the offense on your network. For example, if a port is open, the relevance is high.
- Credibility indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. Credibility increases as multiple sources report the same event.
- Severity indicates the level of threat that a source poses in relation to how prepared the destination is for the attack.
- the number of events and flows that are associated with the offense
- the number of log sources
- the age of the offense
- the weight of the assets associated with the offense
- the categories, severity, relevance, and credibility of the events and flows that contribute to the offense
- the vulnerabilities and threat assessment of the hosts that are involved in the offense
The magnitude rating of an offense is the result of many factors and might not align to the magnitude of a single event. The QRadar magnitude algorithm is used on all offenses to set the offenses magnitude. A rule cannot explicitly set the value; it can contribute only to the calculation.