Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
4
Helpful
2
Replies

How to notify only red incidents.

andrea.meconi
Level 2
Level 2

‎12-14-2008 02:39 AM

Hello.

There is a way to notify only the red incidents by mail?

Thanks.

Andrea.

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎12-19-2008 07:25 AM

Here is how you set a filter so only red incidents will show in your query:

In the Query/Reports page, you will see a shaded 'Query Type' area where you can define the criteria for your query. There are several columns here. The 4th column is called 'Events' and should have the word 'Any' under it. Click the word 'Any' in the 'Events' column to change it.

In the page that follows, you will see a field labeled 'Restrict to Severity'. Change this to 'RED' and hit 'Apply'. You can define what specific red events to show on this page, or you can change other query criteria to further filter your results.

richardackroyd
Level 1
Level 1
In response to amritpatek

‎04-02-2009 08:31 AM

Unfortunately that doesnt work. That will alert you on a Red event, not Red Incidents.

Unfortunately, this is an absolutely MASSIVE flaw in Cisco MARS. There are some hacks relating to duplication of rules but they can cause more problems of their own.

You will need to bug Cisco for this functionality I think.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents