ArcSight Tips & Information

The ArcSight threat level formula

Part of the power that comes from having a centralized SIEM that can consume both security events as well as vulnerability and port scan reports, is the ability to greatly reduce the alerts caused by attacks against systems that aren’t vulnerable to particular attack vectors. 

In this new video you'll learn how an ESM can actually reduce the number of false positives simply by leveraging the asset model capabilities available out of the box. 

Without giving away everything what the video covers, here is a quick primer to get you started.:

The priority formula consists of four factors that combine to generate an overall priority rating: Model Confidence, Relevance, Severity, and Asset Criticality.  The priority of an event is a calculated overall rating based on agent severity (see Event Severity) adjusted by Model Confidence, Relevance, Severity, and Criticality using a detailed formula.

Model Confidence – Model confidence refers to whether the target asset has been modeled in ESM and to what degree. This is either done manually by creating the asset within ESM console, or can be done automatically using the auto asset creation feature.  Maximum score = 10. If the score is 0, this indicates that this particular system has not been modeled at all.

Relevance – Relevance refers to whether or not an event is relevant to an asset based on whether the event contains ports and/or known vulnerabilities, and if so, whether those vulnerabilities and/or ports are exposed on the asset. A key point here is that, if the Model Confidence is 0, then it makes no difference what the relevance is. This make sense, as it wouldn’t have information on that asset to determine the criticality of the attack against the target.

Device Severity – This is normalized to Agent Severity (Low, Med, High, and Very High). Device severity captures the language used by the data source to describe its interpretation of the danger posed by a particular event. For example, if a network IDS detects a DHCP packet that does not contain enough data to conform to the DHCP format, the device flags this as a high-priority exploit.

Agent Severity - This is the translation of the device severity into ESM-normalized values. For example, Snort uses a device severity scale of 1-10, whereas Checkpoint uses a scale of high, medium and low. ESM normalizes these values into a single agent severity scale. The default ESM scale is Very Low, Low, Medium, High, and Very High. An event can also be classified as Agent Severity Unknown if the data source did not provide a severity rating.

Asset Criticality – This measures how important the target asset is in the context of your enterprise as set by you in the network modeling process by using the standard asset categories /System Asset Categories/Criticality/Very High, High, Medium, Low, and Very Low. For example, customer-facing systems or devices with access to confidential information would be classified as criticality level of High, whereas a staging or test system may have a criticality level of Low.

All of these data points become factors in calculating the event's overall priority described in Evaluate the Priority Formula. View the video for more in-depth analysis, and check out our Intelligent Security Operations.


Version history
Revision #:
1 of 1
Last update:
‎06-07-2018 02:51 AM
Updated by:

Brian, great video and article! Presenting how to leverage the asset model capabilities available out of the box is truly best practice!