Alert Scoring and Categories in Stellar Cyber
This section describes how Stellar Cyber assigns Alert Scores to events and then categorizes them based on those scores.
How Alert Scores are Assigned
Stellar Cyber uses Machine Learning and analytics to compute Alert Scores based on the following:
- Fidelity– our confidence in our analysis. The higher the Fidelity Score, the higher our confidence that we correctly observed a malicious event. If this is high, it drives the Alert Score higher. If this and the Threat Intel score are low, they reduce the Alert Score.
- Severity– the importance of the category of the event. The higher the Severity Score, the more dangerous the possible consequences of the event. In general, later-stage events have a higher severity.
- Threat Intel – the reputation of the IP addresses and URLs as assessed by the threat intel sources. The higher the Threat Intel Score, the worse the reputation. If this is high, it drives the Alert Score higher. If this and the Fidelity Score are low, they reduce the Alert Score.
- Data Period – This is the duration of the observed event, which affects analysis of anomalous events (it is not the duration of the event itself).
Alert, Fidelity, Severity, and Threat Intel scores appear throughout the Stellar Cyber user interface, particular in Event Detail displays, as illustrated below in the Event Detail Header.
Alert Categories
Stellar Cyber uses a consistent set of categories throughout the user interface to group alerts based on their Alert Score:
|
Alert Category in Stellar Cyber Displays |
Alert Score |
|---|---|
| Critical | Alert Score ≥ 75 |
| Major | Alert Score ≥ 50 and < 75 |
| Minor | Alert Score ≥ 25 and < 50 |
| Notice | Alert Score < 25 |
Alert categories appear throughout the Stellar Cyber user interface, particularly in the XDR Kill Chain dashboard and loop, as illustrated below:
Fidelity Categories
Stellar Cyber categorizes Fidelity Scores consistently throughout the user interface as follows:
|
Fidelity Category in Stellar Cyber Displays |
Fidelity Score |
|---|---|
| High Fidelity | Fidelity Score ≥ 75 |
| Other Fidelity | Fidelity Score < 75 |
Fidelity categories also appear throughout the Stellar Cyber user interface, particularly in the Alerts page and its associated tables and graphs. For example, you can see the High Fidelity column in the Alerts display below indicating the quantity of alerts for the corresponding Alert Type with a Fidelity Score of 75 or greater.
