Thanks for your reply John,
yes I looked at the thread which you have provided earlier, but in that case there is only one single urgency, where in this case I have to work with conditions to define 2 levels or urgency based on conditions which i have provided in above query.
I guess, my correlation search is working with below criteria as per the matrix
If asset priority is unknown or low and event severity is high, the event urgency is medium.
If asset priority is unknown or low and event severity is critical, the event urgency is high.
As suggested, I was looking into the logs but didn't find any priority related to asset or identity, so I am considering it as unknown which is default one
But again, document itself says that "Severity defined in the search syntax takes precedence over the severity defined in the notable event adaptive response action."
So i guess if i am specifying some conditions in my search itself then it should not go to urgency matrix further. Please correct me if i am wrong
I am running this query for crowdstrike data against Endpoints to get malware details
Thanks in Advance
... View more