You can apply a modified offense rule test when any offense property is changed based on
the events that are associated with that offense. Modified rule tests allow for better configuration
of how and when rules are implemented.
Procedure
-
From the Network Activity tab or the Log Activity
tab, click Rules to display the Rules page.
Double-click an offense rule to open the Rule Wizard.
- From the Rule Test Stack Editor page, add a test to the offense
rule.
-
To filter the options in the Test Group list, type "modified" in the
Type to filter field.
-
From the Test Group list, select when an offense is
modified.
- Optional:
To identify a test as an excluded test, click and
at the beginning of the test in the Rule pane to toggle the display to and
not.
-
Click the underlined configurable parameters to customize the variables of the
test.
-
From the dialog box, select values for the variable, and then click
Submit.
-
To test the total selected accumulated properties for each event or flow group, disable
Test the [Selected Accumulated Property] value of each [group]
separately.
-
In the groups pane, enable the groups that you want to assign this rule to.
-
In the Notes field, type any notes that you want to include for this
rule, and then click Next.
-
On the Rule Responses page, configure the responses that you want this
rule to generate.
- Ensure the Response Limiter checkbox is selected and use the list
boxes to configure how frequently you want this rule to respond.
Important: If many events are contributing to the offense, use a response limiter. Any
new event that contributes to an offense triggers the rule.
-
Click Next, and then click Finish.