I created a correlation search in Enterprise Security 2.4.1 which, when triggered, creates notable events with an urgency value of "medium" as opposed to "high". The details of the search follow:
Application Context: SA-AccessProtection
|geteventid` | eval Group=GroupDomain + "\" + GroupName | stats first(raw) as origraw,first(eventid) as origevent,count by signature,ComputerName,GroupDomain,GroupName
Time Range: Start:-5m@m Finish: +5m@m
Cron Schedule: */5 * * * *
Rule Tile: Account Maintenance Detected - Admin Group $GroupName$
Rule Description: Maintenance has been performed on the Admin Group $GroupName$
Drill-down Name: View all changes to the group $GroupName$
Drill-down Search: `accountmanagement` | search signature=$signature$ GroupDomain=$GroupDomain$ GroupName=$GroupName$ ComputerName=$ComputerName$
Window Duration: 5m
Fields to Group By: EventCode, signature, ComputerName, GroupDomain, GroupName
Being that the severity specified is "high", shouldn't the notable event also appear with an urgency of "high"?
The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high.
Is this not the case?