It is standard practice to categorize cyber threat use cases by severity on a scale typically: low, medium, high, and critical. Everyone cares when something is critical or high, but does anyone care about the lows?
Use case or alert severity is typically a function of two key factors related to threats: likelihood and impact. If something bad is happening, we want to know what the potential impact is so we can prioritize action. Separately, we need to know how likely that bad thing is to have happened.
MASSIVE, SIDE TANGENT: Likelihood is hard to derive and is often assessed as how frequently a given use case contains an actual threat. Under a different lens, likelihood is seen as relating to the level of confidence between the frequency of 1) how often a given use case 'fires' off an alert, and 2) how often those alerts lead to a real response action. Moreover, this confidence is weighted not just on how often the use case is 'right' in its detection but also on how often that use case fires. Many environments don’t see a large volume of actionable threats, and so if one of their given use case fires a lot, then it can be perceived as to be low confidence and, by association, the threat potential low likelihood. That last leap is certainly a huge stretch, but that’s how it often appears in practice in the real world.
We pulled some low-severity alerts from a very common security tool. What you’ll find is a mix of things that sound somewhat interesting or downright scary.
It’s all about precision. Sometimes, you can observe actions that threat actors take, but how you detect those actions isn’t precise enough to only include the bad actions. Thus, these use cases fall victim to a ton of false positives.
The sad truth is not much. They were created by some smart person who realized they could observe bad guys doing bad things. However, operationalizing these use cases was too expensive (in terms of people's time). Given the secondary goal of every SOC analyst is to eliminate all false positives, many of these use cases end up in the basement collecting dust.