Each event is assigned a value from 0 to 10, indicating how critical the event is. The higher the number, the more urgent the required response.
| Severity Range | Category | Event Description |
| 0 – 3 | Informational / Normal (Low) | Standard, successful, low-risk events (e.g., document read, successful login, application start). |
| 4 – 6 | Warning / Notification (Medium) | Events requiring attention, potentially indicating issues (e.g., failed login, data retention policy violation, application error). |
| 7 – 8 | Alert / Error (High) | Serious security incidents or failures (e.g., database connection error, brute force attack, encryption error). Requires a response. |
| 9 – 10 | Critical / Emergency (Very High) | The most severe threats to system integrity (e.g., session hijacking, data leak, attempt to manipulate audit logs). Requires IMMEDIATE intervention. |
