I am writing a search that will track when the firewall sees outbound traffic over non-standard ports. I have a requirement that states if the destination ip is a known malicious domain, then the severity should be critical. Otherwise, it will be medium. I can certainly accomplish this by writing two searches (one for malicious domains, one for non-malicious domains), but was wondering if I could do it within one search.
I think you can manually set the severity field from within the correlation search (field name is "severity"). I would approach this by performing your lookup for known malicious domains and if true then set the severity to critical.
Something like might work:
...|lookup nastyiplist ip OUTPUT ip as nastyip|eval severity=if(len(nastyip)>0,"critical","medium")|...