Severity field in IDF

kamil-certat · kamil-certat · commit dd7a4913e79a · 2025-04-03T16:09:42.000+02:00
Severity is expected in IntelMQ for a long time and partially, it's already used by e.g. ShadowServer reports. This implementation is based on their understanding of the field, but with explicit mentioning that operators could adjust it based on their knowledge. This is not intended to be an ultimate severity classification, but a help for first triage of recived events. Close #2365
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,9 @@ Please refer to the [NEWS](NEWS.md) for a list of changes which have an affect o
 
 ### Data Format
 
+- added `severity` field to help with triaging received events (PR# by Kamil Mańkowski).
+  To allow saving the field in PostgreSQL database in existing installations, the following schema update is necessary: `ALTER TABLE events ADD severity varchar(10);`.
+
 ### Bots
 #### Collectors
 
diff --git a/intelmq/etc/harmonization.conf b/intelmq/etc/harmonization.conf
@@ -362,6 +362,12 @@
         "tlp": {
             "description": "Traffic Light Protocol level of the event.",
             "type": "TLP"
+        },
+        "severity": {
+            "description": "Severity of the event, based on the information from the source, and eventually modified by IntelMQ during processing. Meaning of the levels may differ based on the event source.",
+            "type": "LowercaseString",
+            "regex": "^(critical|high|medium|low|info|undefined)$",
+            "length": 10
         }
     },
     "report": {
