Add the severity/score confidence level as determined by the event source

[Noafr]

Problem: In addition to the severity field, some vendors are also sending a "confidence" score to describe the certainty of the severity determined for the incident/event. For example, Vectra sends the $certainty field (int) to describe the certainty of the detection. This has been also the case with some TI vendors who are using indicator confidence score (IC-Score) to describe expert-based indicator confidence scores for TI events.

Suggestion: Add a new attribute (e.g. ref_severity_confidence (int)) to describe the confidence level of the score given by the event source.

[pagbabian-splunk]

Agreed - pretty common to have confidence as well as severity.

[Aniak5]

We are proposing a general purpose solution for all reference attributes to the original data.

[pagbabian-splunk]

I think there is another issue here: do we need to have the standard confidence (0-100) used with severity which would imply it would need to be in the base class. I agree that the original should be consistent with other original values within unmapped.

[Aniak5]

We have a confidence in the finding object as seen here. This object is referenced within the security findings event class. Does this suffice for your use case @Noafr? Or do you need a confidence for non-security related events?

[pagbabian-splunk]

I would also ask/add: do we need confidence in standard events that include severity (i.e. all events) rather than only the finding object which is not usually an original source event (e.g. the result of an analysis of some kind)?