I created a correlation search in Enterprise Security 2.4.1 which, when triggered, creates notable events with an urgency value of "medium" as opposed to "high". The details of the search follow:
Domain: Access
Application Context: SA-AccessProtection
Search:
Group_Name="admin" account_management
| get_event_id
| eval Group=Group_Domain + "\" + Group_Name | stats first(_raw) as orig_raw,first(event_id) as orig_event,count by signature,ComputerName,Group_Domain,Group_Name
Time Range: Start:-5m@m Finish: +5m@m
Cron Schedule: */5 * * * *
Rule Tile: Account Maintenance Detected - Admin Group $Group_Name$
Rule Description: Maintenance has been performed on the Admin Group $Group_Name$
Severity: high
Drill-down Name: View all changes to the group $Group_Name$
Drill-down Search: account_management
| search signature=$signature$ Group_Domain=$Group_Domain$ Group_Name=$Group_Name$ ComputerName=$ComputerName$
Window Duration: 5m
Fields to Group By: EventCode, signature, ComputerName, Group_Domain, Group_Name
Being that the severity specified is "high", shouldn't the notable event also appear with an urgency of "high"?
Thank you.
The urgency is a calculation based on the severity of the correlation search and the asset's priority. See these docs for details.
The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high.
Is this not the case?