https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674032#M87244 <HTML><HEAD></HEAD><BODY><P>As you can see in the new graphic, the incident indicates that it matched the rule and is a GREEN level event.</P><P></P><P> </P><P></P></BODY></HTML> Fri, 16 Mar 2007 18:10:15 GMT mmorris11 2007-03-16T18:10:15Z https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674030#M87238 <P>I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?</P><P></P><P>Thank you,</P><P></P><P>Mike</P><P></P><P>P.S. Sorry about the double post. </P><P></P><P> </P><P></P> Sun, 10 Mar 2019 10:31:03 GMT https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674030#M87238 mmorris11 2019-03-10T10:31:03Z https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674031#M87240 <HTML><HEAD></HEAD><BODY><P>Can you paste a picture of the actual events in an incident? I believe green-level events can still be part of the incident, but you should still have at least 10 yellow or 1 red event also part of the incident.</P></BODY></HTML> Fri, 16 Mar 2007 16:46:38 GMT https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674031#M87240 mhellman 2007-03-16T16:46:38Z https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674032#M87244 <HTML><HEAD></HEAD><BODY><P>As you can see in the new graphic, the incident indicates that it matched the rule and is a GREEN level event.</P><P></P><P> </P><P></P></BODY></HTML> Fri, 16 Mar 2007 18:10:15 GMT https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674032#M87244 mmorris11 2007-03-16T18:10:15Z https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674033#M87247 <HTML><HEAD></HEAD><BODY><P>I found the problem. There was a red severity event wrapped up in the session that was not visible until drilling all the way down to it. Thanks for the ear.</P><P></P><P>-mike</P></BODY></HTML> Fri, 16 Mar 2007 18:18:20 GMT https://community.cisco.com/t5/network-security/need-help-with-a-rule-csmars/m-p/674033#M87247 mmorris11 2007-03-16T18:18:20Z