The default xml includes this so I would assume that it would include severity but we cannot locate that inside the pcap data. Also in general smartevents correlated events are being send in LEEF but nothing it actually being "received" at Qradar side which is under review by this vendor. The SMS is already working fine out of the box. At this moment i am focussing on this severity field which needs to be included and yes of course I could engage TAC case for this.

I also left a note here

https://community.checkpoint.com/t5/Management/Log-Exporter-LEEF-Field-Mappings/td-p/48905

<field><origName>severity</origName><dstName>sev</dstName>
<callback>
<name>replace_value</name>
<args>
<arg key="default" value="0"/>
<arg key="0" value="0"/>
<arg key="1" value="2"/>
<arg key="2" value="5"/>
<arg key="3" value="8"/>
<arg key="4" value="10"/>
</args>
</callback>
</field>

that was probably my typo sorry I mean in this article see below for correct XML content which is not working

Suggest a TAC case: https://help.checkpoint.com 

We got answer from supplier Qradar and they say that the correlated events are send to Qradar with Product Name VPN-1 Power/UTM whereas they would expect it to be VPN-1 Firewall-1 (which does work). Gonna share these details with TAC and probably some fix is needed in the code for it to integrate correctly.

in dump i see it is formatted like this LEEF:2.0|Check Point|VPN-1 & FireWall-1| and this is not parsed at Qradar side

I suggest contacting Qradar to resolve this issue as we are providing the data to them in the correct format.

Yes you are right events are filtered at their side also to prevent it from overloading, what we want is to only send the Smartevent correlated events to syslog server and now looking into a way to implement automatic reactions with external script. Will open another question about that to define this script with logger action.