Question & Answer
Question
How are severity levels defined for security signatures on QRadar Network Security (XGS) and Security Network IPS (GX) sensors?
Answer
By default, Severity levels (also called Risk levels) for security events are defined based on the CVSS score of the underlying vulnerability by using the following scale:
The Determine the X-Force risk level of an attack page on the IBM Knowledge Center provides further information on the types of attacks that each level covers. All signatures have a severity that is pre-defined. It is also possible for users to manually modify the severity of a signature when you are editing the policies for a sensor.
In some instances, the IBM X-Force team assigns a severity that is different from the one indicated by the CVSS score when they are implementing a new signature. When that happens, it is recorded in the readme file of the XPU associated with the signature.
Example:
The following is an excerpt from the XPU 35.120 readme file that shows a signature whose severity is set to a value that is different than the one indicated by the CVSS score. The DB Risk field indicates the severity as defined by the CVSS score. The PAM Priority field indicates the severity that is assigned to the signature by IBM X-Force.
The intent of the PAM Priority value is to provide guidance to security analysts when they are responding to events. In this example, the Backdoor_Ghost_CnC signature has a low CVSS score but is listed as high in the PAM Priority field because it shows an active infection in the user's network.
- Low: 0.0-3.9
- Medium: 4.0-6.9
- High: 7.0-10
The Determine the X-Force risk level of an attack page on the IBM Knowledge Center provides further information on the types of attacks that each level covers. All signatures have a severity that is pre-defined. It is also possible for users to manually modify the severity of a signature when you are editing the policies for a sensor.
In some instances, the IBM X-Force team assigns a severity that is different from the one indicated by the CVSS score when they are implementing a new signature. When that happens, it is recorded in the readme file of the XPU associated with the signature.
Example:
The following is an excerpt from the XPU 35.120 readme file that shows a signature whose severity is set to a value that is different than the one indicated by the CVSS score. The DB Risk field indicates the severity as defined by the CVSS score. The PAM Priority field indicates the severity that is assigned to the signature by IBM X-Force.
IssueId SecChkID DB Risk Pam Priority Check Name
-----------------------------------------------------
2132192 107963 Low high Backdoor_Ghost_CnCThe intent of the PAM Priority value is to provide guidance to security analysts when they are responding to events. In this example, the Backdoor_Ghost_CnC signature has a low CVSS score but is listed as high in the PAM Priority field because it shows an active infection in the user's network.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS9SBT","label":"IBM Security Network Intrusion Prevention System"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
23 January 2021
UID
swg21986647