This is what I have to trap events with the severity levels higher than 4. Pretty simple. But then you have to realize what information is being pulled into LEM in your case. I have some firewalls reporting to it and those have different severity levels of their own that do not match the levels assigned to them by LEM.
In many cases you can be very specific about the events you want to be informed based on their severity levels, if LEM allows that event's severity information to be used in the condition for a rule\filter.
