Recently tried to use the severity overrides functionality for a SIEM rule, but this doesn't seem to work as expected. While trying to find what's going wrong I'd like to point out several things:
When editing a duplicated siem rule, the severity and the risk score is reset every time to 'Low' and '50'. This is very annoying, as has resulted several times in wrong configurations. The configured severity and risk score should be saved and preserved.
My goal was to lower the severity when DNS to the Internet is detected and the outgoing DNS attempt has been denied on one of our firewalls (panw).
But checking my latest alerts, it seems like the override did not take any effect.
- For some reason event.type has the value 'denied' twice, so there is probabaly some issue in the panw input / pipeline
Am I missing something? What should I add to be able to override a rule when the event has been denied?