Example: Configuring a Modified Offense Rule Test

You can apply a modified offense rule test when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.


  1. From the Network Activity tab or the Log Activity tab, click Rules to display the Rules page. Double-click an offense rule to open the Rule Wizard.
  2. From the Rule Test Stack Editor page, add a test to the offense rule.
    1. To filter the options in the Test Group list, type "modified" in the Type to filter field.
    2. From the Test Group list, select when an offense is modified.
    3. Optional: To identify a test as an excluded test, click and at the beginning of the test in the Rule pane to toggle the display to and not.
    4. Click the underlined configurable parameters to customize the variables of the test.
    5. From the dialog box, select values for the variable, and then click Submit.
  3. To test the total selected accumulated properties for each event or flow group, disable Test the [Selected Accumulated Property] value of each [group] separately.
  4. In the groups pane, enable the groups that you want to assign this rule to.
  5. In the Notes field, type any notes that you want to include for this rule, and then click Next.
  6. On the Rule Responses page, configure the responses that you want this rule to generate.
  7. Ensure the Response Limiter checkbox is selected and use the list boxes to configure how frequently you want this rule to respond.
    Important: If many events are contributing to the offense, use a response limiter. Any new event that contributes to an offense triggers the rule.
  8. Click Next, and then click Finish.