I am setting up asset center in Splunk ES/PCI. The idea of an Asset priority is sorta vague. Is it left that way on purpose? For me to define?
"Example: Must be one of unknown, informational, low, medium, high, or critical"
To answer asset priority in simple terms, it means which asset's event will be prioritized if an (similar severity) event occurred at the same time on two assets. Straight from the docs is this:
The priority field (high) is combined with the severity of the search to create the urgency for the notable event.
Prioritization. The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop machine is less urgent than the same issue against an externally facing web-server that processes credit card information. Asset management allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.
The severity of the event and the priority of the host are combined to generate the urgency of an event. That is what is built into the system. Users desktop less important than server, which is less important than a critical app server etc... You get to assign your priorities based on what is important to your environment.
I have the same/a similar question: How do you change an Asset's priority? I have a bunch of Assets, but they are all medium priority. I want to start changing the priority of some Assets to High and Critical... How do I do this?