Alert Severity Meanings
4 min read
Every Burrow alert carries one of five severity levels: Critical, High, Medium, Low, or Info. Severity is assigned by the rule that generated the alert and drives both the operator response expected and Burrow's default email behaviour. This page is the canonical reference.
The five levels
Critical
What it means: assume the activity is bad until proven otherwise. Drop other work to investigate.
Typical categories at this level:
ransomware_signature— encrypt-and-replace pattern detected.anonymizer_access_critical— access from a Tor exit node.malicious_ip_access_critical— access from a known-bad IP on threat-intel lists.sensitive_ext_exfil_critical— download of high-risk file types (mailbox archives, credential vaults, backup files).audit_tampering— attempts to disable or modify the audit log.
Default email behaviour: emails at every Minimum severity setting (Low / Medium / High / Critical). Always reaches recipients.
Expected response time: immediate.
High
What it means: likely bad, investigate today.
Typical categories at this level:
data_exfiltration_high— large downloads beyond the threshold for the current detection posture.mass_deletion_high— many file deletions in a short window.account_compromise,impossible_travel_signin— anomalous sign-in patterns.unmanaged_device_access— sensitive activity from non-compliant devices.risky_sharing— external sharing of files at scale.peer_group_deviation,intraday_velocity_burst— UEBA detections at high magnitude.site_collection_admin_grant— privilege escalation.
Default email behaviour: emails at Low / Medium / High Minimum severity settings. Suppressed when Min severity = Critical.
Expected response time: same business day.
Medium
What it means: worth a look. Often the noisiest tier because it includes routine UEBA deviation signal.
Typical categories at this level:
data_exfiltration_med— smaller exfil envelope.mass_deletion_med— smaller deletion volume.behavioral_deviation— moderate UEBA deviation from baseline.unusual_hour_activity— activity outside the user's typical hours.dow_drift— day-of-week pattern broken.ua_anomaly— new user-agent.external_user_group_add— guest account provisioning.
Default email behaviour: emails at Low / Medium Minimum severity settings. Suppressed when Min severity = High or Critical.
Expected response time: triage during normal SOC review (next shift).
Low
What it means: informational. Captured for forensics and trend analysis, not for active hunting.
Typical categories at this level: UEBA detections at small magnitude, low-priority sensitive-site touches, single events that warrant logging but not response.
Default email behaviour: emails only at Min severity = Low. Suppressed at every higher setting.
Expected response time: none. Reviewed in bulk during weekly tuning passes.
Info
What it means: purely audit. Never wakes anyone.
Typical categories at this level: edge-case events captured for completeness and audit trail. Rarely emitted.
Default email behaviour: never emails, regardless of Minimum severity setting. Dashboard-only.
Expected response time: none. Reviewed only if explicitly searched.
Severity → action map
| Severity | Operator response expected | Email at default Min severity = Medium |
|---|---|---|
| Critical | Investigate immediately. Page someone if needed. | Emails. |
| High | Investigate within the business day. | Emails. |
| Medium | Triage during normal SOC review. | Emails. |
| Low | Captured for forensics; no active hunting. | Suppressed (raise to Min = Low to see). |
| Info | Audit-only. | Suppressed. |
How severity is assigned
Every rule carries a default severity in its definition. Some rules also tier into multiple severities (e.g. data_exfiltration_high vs data_exfiltration_med, where the same family of behaviour at different magnitudes gets different rules and different severities).
The detection posture (Permissive through Paranoid) affects which thresholds trigger which rule, but not what severity each rule emits when it fires. Changing the posture changes how OFTEN you see alerts at each severity, not what severity means.
How severity can be modified after the fact
Two mechanisms can change an alert's severity after the rule fires:
- Sensitive sites — alerts on activity touching a sensitive site get bumped one tier (Medium to High, etc.) with a
sev_bumped=trueflag and a bump reason in the evidence. - Downgrade exceptions — entity exceptions configured with
action=Downgradereduce severity by one tier for matching (user, category) pairs.
A bumped Medium-to-High alert from a sensitive site shows as High everywhere — on the Alerts page, in emails, in the Briefing. The sev_bumped flag in the evidence is the trace of why.
See also
- Rule catalog — per-rule reference including the severity each rule emits.
- Email types Burrow sends — how severity interacts with the email pipeline.
- Configuring alert email recipients — where Minimum severity is set per recipient.
Need help? support@smikar.com.