Hi, I was wondering if anyone else ran into theis problem or if you could point out what I'm doing wrong.
I've been building some policies in my test system, and am buiding the policy with the following severity levels:
Default: "Info"
Set Severity: "High" - When Match Count: "Is Greater Than or Equals" - "100" matches
Set Severity: "Medium" - When Match Count: "Is Is Between" - "50" to "99" matches
Set Severity: "Low" - When Match Count: "Is Is Between" - "10" to "24" matches
There is a response rule in place to log to a syslog server regardless of classification level.
Symptom: Incidents are generated, but even if the incidents have only two or three hits they are marked as "High".
Any advice on where things are misconfigured?