Need to list all the Rules with Serverity=RED

dec0dernyc · ‎08-29-2011

Hi:

How can I list all the Rules with a severity of RED? I have clicked on RULES, then scrolled down to the bottom of the page and set 1,000 per page. I want to see all the red rules but cannot see the RED rules only.

How can I do this?

Thanks in advance.

Dustin Ralich · ‎09-06-2011

Inspection Rules themselves do not have a Severity (color)... the Severity specification for each offset of an Inspection Rule is used to govern what matches the offset (i.e. if set to "RED", only RED Events can match that particular offset). This is more apparent with multi-offset Rules (where one offset's Severity is RED, another is YELLOW, etc., all under a single Inspection Rule).

When an Inspection Rule fires (is triggered), the highest Severity of all the Events that contributed to it firing is used for the resultant Incident that is generated. Again, the Inspection Rules themselves do not have a Severity.

If you want to view only RED Incidents, you can filter from the MARS GUI > INCIDENTS page by changing the "All Severities" drop-down selector.

If you want to see all Inspection Rules that have an offset that specifically matches on RED events, then from the MARS GUI > RULES > Inspection Rules page, change the "25 per page" drop-down selector to a large enough value to display all your Rules on one page, then use your web browser's Find feature (usually F) and search for "RED", "YELLOW", "GREEN", etc. This may of course match on other words that include RED ("credit" for example), but is the closest option for what you are looking for.