Understanding Alerts & Severity
Learn how CastellanAI classifies and prioritizes security threats.
CastellanAI uses AI to analyze security events and assign severity levels based on multiple factors including threat indicators, MITRE ATT&CK tactics, and historical patterns.
Severity Levels Explained
- 🔴 Critical
- 🟠 High
- 🟡 Medium
- 🔵 Low
Critical Severity
Immediate action required. Active threats that could cause significant damage.
| Examples | Response Time |
|---|---|
| Confirmed malware execution | 0-15 minutes |
| Active ransomware detected | |
| Data exfiltration in progress | |
| Privilege escalation to domain admin |
Critical events require immediate investigation and response. Do not delay.
High Severity
Suspicious activity requiring prompt investigation. Potential threats that warrant immediate attention.
| Examples | Response Time |
|---|---|
| Multiple failed authentication attempts | Within 1 hour |
| Suspicious PowerShell execution | |
| Unusual network connections | |
| Lateral movement detected |
High severity events should be investigated within 1 hour of detection.
Medium Severity
Notable events that should be reviewed but don't require immediate action.
| Examples | Response Time |
|---|---|
| Policy violations | Within 4 hours |
| Non-standard software installations | |
| Configuration changes | |
| Minor security audit failures |
Low Severity
Informational events for security awareness. Review during routine analysis.
| Examples | Response Time |
|---|---|
| Successful authentication events | During scheduled review |
| Normal system updates | |
| Routine administrative actions | |
| Standard security scans |
Low severity events should be reviewed during scheduled security analysis sessions.
How Severity is Determined
CastellanAI's AI engine analyzes multiple factors to assign severity:
- 📋 Event Characteristics
- 🎯 Context & Impact
- 📊 Behavioral Analysis
Event Characteristics
| Factor | Description |
|---|---|
| Event Type & Category | Classification of the security event |
| MITRE ATT&CK Tactics | Mapped threat techniques |
| Known Threat Indicators | IOCs matching threat intelligence |
Context & Impact
| Factor | Description |
|---|---|
| System Criticality | Importance of affected system |
| User Privilege Level | Admin vs. standard user |
| Correlation with Other Events | Related activity across systems |
Behavioral Analysis
| Factor | Description |
|---|---|
| Burst Score | Activity spike intensity |
| Anomaly Score | Deviation from baseline |
| Correlation Score | Event relationship strength |
Response Time Guidelines
| Severity | Response Time | Escalation |
|---|---|---|
| Critical | 0-15 minutes | Immediate notification to security team |
| High | Within 1 hour | Alert on-call personnel |
| Medium | Within 4 hours | Standard ticket queue |
| Low | Scheduled review | Weekly analysis |
💡 Best Practices for Prioritization
- Always review context - AI severity is a guide, consider your organization's specifics
- Check for patterns - Multiple low-severity events may indicate a larger attack
- Don't ignore lows - Low severity events can escalate or provide attack indicators
- Document exceptions - Record when you override AI severity for future tuning
What's Next?
| Guide | Description |
|---|---|
| Investigating Events | Systematic approach to investigating security events |
| Taking Action | Available response actions for different threat types |
| Notifications Setup | Configure alerts for high-severity events |
| Incident Workflows | Learn standardized incident response procedures |