Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
6
Replies

Change severity events on mars

cprados2008
Level 1
Level 1

‎03-31-2009 06:42 AM

Hi all, i've a problem with mars...

i'm auditing a windows server with snare client.

i would like to change the green flag to red of a normaly event like "new process created"

and i don't know it .

somebody can help me?

Thanks.

Labels:
0 Helpful
6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

‎04-02-2009 03:49 AM

I think you can modify the related 'Rule' in MARS from Green to Red (High severity). Everytime the incident is fired, you will see the pertaining rule at the top of the page (if you click on that particular incident ID). Just edit the rule' severity. Here is a sample incident (Host evasion rule RED severity):

http://www.cisco.com/warp/public/707/cisco-amb-20070905-csm-01b.gif

Regards

Farrukh

0 Helpful

cprados2008
Level 1
Level 1
In response to Farrukh Haroon

‎04-06-2009 07:10 AM

Thanks for answer, I try to do the same but the rule don't permit changes.

I think that the incident of the screenshot is a red rule, can you explain me how change it to green?.

Regards.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to cprados2008

‎04-06-2009 10:24 AM

You have to do it from the Rules page and not the Incidents page. I just pasted that link to show the relation between Rules and Incidents.

Regards

Farrukh

0 Helpful

cprados2008
Level 1
Level 1
In response to Farrukh Haroon

‎04-07-2009 08:55 AM

Thanks for the early answer,

I can't follow you Farrukh.

In the drop rules if I change the severity to red

I don't understand that...

When i create a rule, It's for drop the traffic not for change severity in dashboard.

please can you explain me step by step?

sorry for de inconvenience

Regards

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to cprados2008

‎04-08-2009 05:12 AM

I did not understand your initial requirement clearly. What I proposed is not possible. I will find a better solution and get back to you.

Regards

Farrukh

0 Helpful

Shen.Chun
Level 1
Level 1

‎04-08-2009 07:25 PM

Dear

I noticed this problem too.

There are some relationship w/ Rule, Event ID severity.

We cannot just modify the Rule severity to be shown on the Incidents.

Because the Rule severity is meanful for "matching the Event ID severity".

When Rule Severity = Any ... it matches the severity what Event ID is triggerred with its respective severity.

Or

it matches the severity what Event ID is triggerred in an Event Group with its respective severity.

The hard is ... it's difficult to modify the default Event ID severity.

I'm still trying it out ...

FYI ~

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents