How is notable event urgency calculated?

 Notable event urgency is calculated by combining the severity set by the correlation search and the priority assigned to the associated asset or identity. The severity is a value that indicates the impact or importance of the event, such as low, medium, high, or critical. The priority is a value that indicates the significance or sensitivity of the asset or identity involved in the event, such as unknown, low, medium, high, or critical. The urgency is a value that indicates the level of attention or action required for the event, such as informational, low, medium, high, or critical. The urgency is determined by using the urgency_lookup, which maps the severity and priority values to the urgency values. For example, if the severity is high and the priority is medium, the urgency is high. If the severity is critical and the priority is critical, the urgency is critical. You can use the urgency field to prioritize the investigation of notable events in Splunk Enterprise Security1. References =

How urgency is assigned to notable events in Splunk Enterprise Security