Need help with a rule (CSMARS)..

Unanswered Question
Mar 16th, 2007

I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?

Thank you,


P.S. Sorry about the double post.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mhellman Fri, 03/16/2007 - 09:46

Can you paste a picture of the actual events in an incident? I believe green-level events can still be part of the incident, but you should still have at least 10 yellow or 1 red event also part of the incident.

mmorris11 Fri, 03/16/2007 - 11:18

I found the problem. There was a red severity event wrapped up in the session that was not visible until drilling all the way down to it. Thanks for the ear.



This Discussion