As Zeek logs are parsed and enriched prior to indexing, a severity score up to
100 (a higher score indicating a more severe event) can be assigned when one or more of the following conditions are met:
FREQ_SEVERITY_THRESHOLDenvironment variable in
docker-compose.yml. A lower value will only assign severity scores to fewer domain names with higher entropy (e.g.,
NQZHTFHRMYMTVBQJE.COM), while a higher value will assign severity scores to more domain names with lower entropy (e.g.,
weird.logentries, including those generated by Zeek plugins detecting vulnerabilities (see the list of Zeek plugins under Components)
TOTAL_MEGABYTES_SEVERITY_THRESHOLDenvironment variable in
CONNECTION_SECONDS_SEVERITY_THRESHOLDenvironment variable in
As this feature is improved it’s expected that additional categories will be identified and implemented for severity scoring.
When a Zeek log satisfies more than one of these conditions its severity scores will be summed, with a maximum score of
100. A Zeek log’s severity score is indexed in the
event.severity field and the conditions which contributed to its score are indexed in
These categories’ severity scores can be customized by editing
100for severity scoring.
XYZis the uppercased value of the protocol as stored in the
network.protocolfield. For example, to assign a score of
40to Zeek logs generated for SSH traffic, you could add the following line to
Restart Logstash after modifying
malcolm_severity.yaml for the changes to take effect. The hostname and CIDR subnet names interface provides a convenient button for restarting Logstash.