How is the urgency of a notable event calculated in Splunk ES?

In Splunk ES, the urgency of a notable event is determined primarily by the severity set by the correlation search. Each correlation search is designed to identify specific patterns or anomalies within the data and often assigns a severity level to the events it generates. This severity level directly influences how urgent the event is perceived within the security incident response lifecycle.

By using severity, factions within the organization can prioritize responses to the most critical events that may pose an immediate threat, thereby optimizing resource allocation and improving reaction times to incidents.

While factors such as age, relevance, impact on users, and timing of events can provide valuable context, they do not directly establish the fundamental measure of urgency as defined within Splunk ES. Instead, these elements may supplement the assessment or contribute to a broader situational awareness but do not replace the core severity metric set by the correlation search.