You gave an excellent mockup of desired output.  What you should have explained is that the rest of columns (critical, high, medium, low) are values of the field named "severity".  This finer point may seem obvious to you, but is not always obvious to other people who may be able to help.  Pro tip: Always explain your data, generally illustrate sample data in text if possible. (Anonymize as necessary.)

Back to your search.  First off, the stats you are really looking for is to combine what you have already tried:

index=palo-network threat sourcetype="pan:threat" severity!=informational
| bucket _time span=1month
| eval Date=strftime('_time',"%Y-%m")
| stats values(severity) count by _time, action, severity

Now, you notice that the output is not in the format you wanted.  So, try to massage the output into the desired format - but only after get the stats correct.  To do so, you can populate severity levels into a diagonal matrix. (This may not be the most efficient method but is the most visually clear.)

``` your base search above ```
| foreach low medium high critical
    [eval <<FIELD>> = if(severity == "<<FIELD>>", count, 0)]
| stats sum(critical) as critical sum(high) as high sum(medium) as medium sum(low) as low by Date action

Put them together,

index=palo-network threat sourcetype="pan:threat" severity!=informational
| bucket _time span=1month
| eval Date=strftime('_time',"%Y-%m")
| stats count by Date, action, severity
| foreach low medium high critical
    [eval <<FIELD>> = if(severity == "<<FIELD>>", count, 0)]
| stats sum(critical) as critical sum(high) as high sum(medium) as medium sum(low) as low by Date action

Hope this helps.