You notice that the severity levels in the detection logs of DDI are different even if they all have rule ID 52 "Email message sent through an unregistered SMTP server".
This article explains:
- Why severity levels are different even if the detections have the same rule ID;
- How DDI decides the severity value of a detection; and
- What is the difference between severity and confidence level
Virtual Analyzer also updates the severity level according to its analysis report if the Detection Log has the same SHA-1 value. The result from Virtual Analyzer takes higher priority than the other rules. Because of this, it overwrites the severity level determined by other rules. Analysis results from Virtual Analyzer are delayed and this is why you may see different severity levels at different times while you query Detection Logs.
Severity Levels refer to the extent of the damage of a potential or known threat.
The levels are defined as:
A behavior that denotes definite "compromise". The compromised host will be subjected to Smart Tracking.
A known malicious behavior that is common but not confirmed to be successful.
An anomalous or suspicious behavior that is possibly benign, though could be related to a threat.
Is also a common behavior that is possibly benign or could be related to a threat.
Confidence Level, on the other hand, refers to how strong the DDI pattern files are. Just like Severity Levels, Confidence levels are marked as Low, Medium, and High.
Low Confidence Levels are very prone to false positives while High Confidence Levels are unlikely to have false positives.