Logo

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Event severity scoring

As Zeek logs are parsed and enriched prior to indexing, a severity score up to 100 (a higher score indicating a more severe event) can be assigned when one or more of the following conditions are met:

As this feature is improved, it is expected additional severity scoring categories will be identified and implemented.

When a Zeek log satisfies more than one of these conditions its severity scores will be summed, with a maximum score of 100. A Zeek log’s severity score is indexed in the event.severity field and the conditions that contributed to its score are indexed in event.severity_tags.

The Severity dashboard

Customizing event severity scoring

The category severity scores can be customized by editing logstash/maps/malcolm_severity.yaml:

"PROTOCOL_SSH": 40

Restart Logstash after modifying malcolm_severity.yaml for the changes to take effect.

Severity scoring can be disabled globally by setting the LOGSTASH_SEVERITY_SCORING environment variable to false in the logstash.env file and restarting Malcolm.