Data Loss Prevention

I have a rule that I've got set up to set different severity levels based on match count.  1-10 is low, 10-100 is medium, 101+ is high.  I've uploaded the image from the console that shows this:

Since this was set up, I've noticed that the severity will always be set to High for incidents matching this rule.  Let's say I'm looking at an incident with 1 match, I will go into the history and see the severity set twice after detection, first it will be set to low, then to high. 

Under history, I'll see the events:

1: Detected

2: Severity Changed : Low

3: Severity Changed : High

When I go change the default level, entry 3 will be whatever I set the default severity to.  Is there a way to remove the default severity level? Or a way to make it so that it only sets the severity once?

Hello,

 I think the highest severity will be set by DLP between rules and default one.

Set your default one to info, if you need to add some other rule to define it.

If it does not work, let us know , Which DLP version are you using ?

 Regards

Using 12.5.2

So you're saying set the default to info, and leave the rest?

This will mark each incident as info, no matter the match count. For example, if there is an incident with a match count of 42, it will mark it as Medium first, then info.  The incident history will read : 

1. Detected

2. Severity Changed : Medium

3. Severity Changed : Info

Poly..

I think you have a misunderstabding of how the severity works.

Default = is the initial value of the incident

You then then added severities based on amount of matches.

If you want severity of low = 1-9, medium = 10-100 high=101

Here is what you do...

Default = Low

Medium = Greater than or equal to 10

High = Greater than 101

Good Luck

Ronak

Please marked as solved when possible