Set severity of detectors #832
Comments
landauermax
added
enhancement
|
What should this parameter do, outside of giving information to the reader? If there is no use case in calculations, then a string value could be better fitted. For example severity = "critical" or severity = "info" for those two examples. |
|
They are mainly for displaying the anomalies in a SIEM (for example, a lot of low-severity alerts can be less critical than a few high-severity alerts) and numeric correlation (for example, a "total severity" can be calculated by aggregating the severities of all alerts occurring in a certain time window). I think INFO is generally not an appropriate level for anomalies, since every anomaly should be at least a warning. Anyway, it is up to the SIEM to categorize the anomalies in high/medium/low or whatever categories based on the numeric value. |
|
This issue should be solved before the unittests are rewritten and extended. |
|
I would like to have tags for events that we generate. So that we can add different tags to the output. One of them could be the severity |
4cti0nfi9ure
added
low
It should be possible to set the severity of detectors and add this information to the output if set. E.g., a parameter severity = 0.7 can be added to a value detector monitoring critical states, while severity = 0.1 can be set for less important detectors that are more likely to produce false positives. Please make sure that this parameter does not interfere with the confidence that is available for some detectors in the output.
The text was updated successfully, but these errors were encountered: