Forum Discussion

ShimKwan's avatar
ShimKwan
Brass Contributor
Apr 12, 2021

Azure Sentinel Incident Severity Mapping

Hi,   So Sentinel categorizes its incidents as "Low, Medium or High". However, a typical SOC might have incidents ranging from P1-P5.   I'm curious how have other organizations mapped the 3 Sent...
office 365
security
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Apr 12, 2021
The P1-P5 rating is generally considered part of the ITIL for unplanned interruption to services and/or quality of service for ITSM. I know some SOCs have applied that to security operations. You might consider, then, mapping Low to P1, Medium to P3, and High to P5.
ShimKwan's avatar
ShimKwan
Brass Contributor
Apr 12, 2021
Hi,
Thank you for replying.
P1 is typically the most critical, so that would be linked to 'high'...with P5 linked to "low".
This is what we have already done; we were looking for a bit more of a detailed mapping suggestion - like perhaps getting some more info from the incident, like Mitre Attack details for example, and mapping that to the relevant P1-P5 incident.
Will keep investigating.
Thank you
  • AmiShinu's avatar
    AmiShinu
    Copper Contributor
    Feb 06, 2025

    ShimKwanI'm at the same spot where we're trying to figure out a better way to do these mapping btw Sentinel severity to our internal severity (p1-p5). Would appreciate if you could share some suggestions how you handled these. Thanks in advance. 

Resources