How is notable event urgency calculated?

Notable event urgency in Splunk Enterprise Security is a calculated metric that helps prioritize events based on their potential impact. This urgency is determined by combining two key components: the severity set by the correlation search and the priority assigned to the associated asset or identity.

When the correlation search runs, it assesses certain conditions or behaviors within the data and assigns a severity level based on predefined criteria. This severity indicates how serious the event is. Simultaneously, assets or identities are assessed for their priority, which reflects their importance within the organization's security framework. For instance, a high-priority asset, such as a critical server or a privileged user, may elevate the urgency of a notable event even if the severity is moderate.

By integrating both severity and asset or identity priority, this calculation provides a nuanced view of the urgency of an event, allowing security teams to address the most critical issues that can have severe implications for the organization. This approach ensures that resources are allocated effectively to mitigate risks in a timely manner.