diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index a2ec8433..48261a94 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -1372,7 +1372,7 @@ request.ui_dispatch_view = search
 search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) `cs_scanning_basic_scanning_raw_filter` \
 | stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by sourcetype, src_ip \
 | where num_dest_port > 100 OR num_dest_ip > 1500 \
-| eval cyences_severity = case(num_dest_port>1000 or num_dest_ip>10000, "critical", num_dest_port>500 or num_dest_ip>3000, "high", true(), "medium") \
+| eval cyences_severity = case(num_dest_port>10000 or num_dest_ip>100000, "critical", num_dest_port>5000 or num_dest_ip>30000, "high", true(), "medium") \
 | `cs_scanning_basic_scanning_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter