Need help with a rule (CSMARS)..

Unanswered Question
Mar 16th, 2007
User Badges:
  • Silver, 250 points or more

I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?

Thank you,


P.S. Sorry about the double post.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mhellman Fri, 03/16/2007 - 09:46
User Badges:
  • Blue, 1500 points or more

Can you paste a picture of the actual events in an incident? I believe green-level events can still be part of the incident, but you should still have at least 10 yellow or 1 red event also part of the incident.

mmorris11 Fri, 03/16/2007 - 11:10
User Badges:
  • Silver, 250 points or more

As you can see in the new graphic, the incident indicates that it matched the rule and is a GREEN level event.

mmorris11 Fri, 03/16/2007 - 11:18
User Badges:
  • Silver, 250 points or more

I found the problem. There was a red severity event wrapped up in the session that was not visible until drilling all the way down to it. Thanks for the ear.



This Discussion