Azure Sentinel Incident Severity Mapping

%3CLINGO-SUB%20id%3D%22lingo-sub-2267105%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Incident%20Severity%20Mapping%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2267105%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20Sentinel%20categorizes%20its%20incidents%20as%20%22Low%2C%20Medium%20or%20High%22.%3C%2FP%3E%3CP%3EHowever%2C%20a%20typical%20SOC%20might%20have%20incidents%20ranging%20from%20P1-P5.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20curious%20how%20have%20other%20organizations%20mapped%20the%203%20Sentinel%20severitys%20to%20the%20a%20typical%20incident%20priority%20rating%20of%20P1-P5%20(so%205%20categories).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe'd%20like%20to%20automate%20the%20logging%20of%20Sentinel%20tickets%20in%20our%20ISMS%20system%2C%20but%20how%20to%20map%203%20into%205%20priorities%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3ESK%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2267105%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eoperations%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,

 

So Sentinel categorizes its incidents as "Low, Medium or High".

However, a typical SOC might have incidents ranging from P1-P5.

 

I'm curious how have other organizations mapped the 3 Sentinel severitys to the a typical incident priority rating of P1-P5 (so 5 categories).

 

We'd like to automate the logging of Sentinel tickets in our ISMS system, but how to map 3 into 5 priorities?

 

Thank you,

SK

2 Replies
The P1-P5 rating is generally considered part of the ITIL for unplanned interruption to services and/or quality of service for ITSM. I know some SOCs have applied that to security operations. You might consider, then, mapping Low to P1, Medium to P3, and High to P5.
Hi,
Thank you for replying.
P1 is typically the most critical, so that would be linked to 'high'...with P5 linked to "low".
This is what we have already done; we were looking for a bit more of a detailed mapping suggestion - like perhaps getting some more info from the incident, like Mitre Attack details for example, and mapping that to the relevant P1-P5 incident.
Will keep investigating.
Thank you