Forum Discussion

ShimKwan's avatar
ShimKwan
Brass Contributor
Apr 12, 2021

Azure Sentinel Incident Severity Mapping

Hi,

 

So Sentinel categorizes its incidents as "Low, Medium or High".

However, a typical SOC might have incidents ranging from P1-P5.

 

I'm curious how have other organizations mapped the 3 Sentinel severitys to the a typical incident priority rating of P1-P5 (so 5 categories).

 

We'd like to automate the logging of Sentinel tickets in our ISMS system, but how to map 3 into 5 priorities?

 

Thank you,

SK

office 365
security
  • Rod_Trent's avatar
    Rod_Trent
    Icon for Microsoft rankMicrosoft
    Apr 12, 2021
    The P1-P5 rating is generally considered part of the ITIL for unplanned interruption to services and/or quality of service for ITSM. I know some SOCs have applied that to security operations. You might consider, then, mapping Low to P1, Medium to P3, and High to P5.
    • ShimKwan's avatar
      ShimKwan
      Brass Contributor
      Apr 12, 2021
      Hi,
      Thank you for replying.
      P1 is typically the most critical, so that would be linked to 'high'...with P5 linked to "low".
      This is what we have already done; we were looking for a bit more of a detailed mapping suggestion - like perhaps getting some more info from the incident, like Mitre Attack details for example, and mapping that to the relevant P1-P5 incident.
      Will keep investigating.
      Thank you
      • AmiShinu's avatar
        AmiShinu
        Copper Contributor
        Feb 06, 2025

        ShimKwanI'm at the same spot where we're trying to figure out a better way to do these mapping btw Sentinel severity to our internal severity (p1-p5). Would appreciate if you could share some suggestions how you handled these. Thanks in advance. 

Resources