Add note for dynamic severity (#5968)

jpipkin1 · web-flow · commit 92e0370fc598 · 2025-10-29T14:52:28.000Z
diff --git a/docs/cse/rules/write-aggregation-rule.md b/docs/cse/rules/write-aggregation-rule.md
@@ -7,6 +7,7 @@ description: Learn how to write an aggregation rule.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
+import CseDynamicSeverity from '../../reuse/cse-dynamic-severity.md';
 import Iframe from 'react-iframe';
 
 This topic has information about Cloud SIEM aggregation rules and how to write them.
@@ -107,6 +108,7 @@ On the right side of the Rules Editor, in the **Then Create a Signal** section,
    1. The severity area updates. 
    1. **severity of**. Use the pulldown to select a default severity value.
    1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the record that matched the rule expression.
+      <CseDynamicSeverity/>
    1. The **Add More Mappings** option appears. <br/><img src={useBaseUrl('img/cse/add-more-mappings.png')} alt="Add More Mappings option" style={{border: '1px solid gray'}} width="450"/>
    1. **Click Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the record field you selected above.
    1. The **if the value is** option appears.<br/><img src={useBaseUrl('img/cse/if-the-value-is.png')} alt="If the Value Is option" style={{border: '1px solid gray'}} width="450"/>
diff --git a/docs/cse/rules/write-match-rule.md b/docs/cse/rules/write-match-rule.md
@@ -7,6 +7,7 @@ description: Learn how to write a match rule.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
+import CseDynamicSeverity from '../../reuse/cse-dynamic-severity.md';
 import Iframe from 'react-iframe'; 
 
 This topic has information about match rules and how to create them in the Cloud SIEM UI.
@@ -87,6 +88,7 @@ Watch this micro lesson to learn how to create a match rule.
    1. The severity area updates. 
    1. **severity of**. Use the pulldown to select a default severity value.
    1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the record that matched the rule expression.
+      <CseDynamicSeverity/>
    1. The **Add More Mappings** option appears. <br/><img src={useBaseUrl('img/cse/add-more-mappings.png')} alt="Add More Mappings option" style={{border: '1px solid gray'}} width="300"/>
    1. Click **Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the record field you selected above.
    1. The **if the value is** option appears.<br/><img src={useBaseUrl('img/cse/if-the-value-is.png')} alt="If the Value is Option.png" style={{border: '1px solid gray'}} width="300"/>
diff --git a/docs/reuse/cse-dynamic-severity.md b/docs/reuse/cse-dynamic-severity.md
@@ -0,0 +1,3 @@
+:::note
+When configuring dynamic severity, you must select a record field that is numeric. If you select a non-numeric field, severity does not return a numeric value, and no signal fires.
+:::

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+:::note`
	`2`	`+When configuring dynamic severity, you must select a record field that is numeric. If you select a non-numeric field, severity does not return a numeric value, and no signal fires.`
	`3`	`+:::`