Detection known issue
A policy that specifies a different Severity level based upon the number of incident matches may generate an Endpoint incident with an incorrect Severity level.
For example, a policy is created with the following Severity settings:
Default Severity = Info.
Severity = High, if (# of matches) > = 20.
Severity = Medium, if 10 < (# of matches) <20.
Severity = Low, if (# of matches) < = 10.
The resulting incidents do not contain Severity levels that match the Severity settings.