3 Replies Latest reply on Sep 30, 2011 5:07 PM by petersimmons

    How to view only events rated as a "Medium" level signature

      We're in the process of tuning our HIPS policies for "Medium" level blocking, and are currently just logging for "Medium" events.

       

      So with several weeks now of "medium" level logging on several hundred servers and workstations, I should be seeing some "medium" events in the event logs, but I seem to only be seeing the events from the "High" level signatures.

       

      When running a query on the event logs, there only seems to be an option to search for "Threat Severity" with options of "critical", "warning", "emergency", etc but not for "High", "Medium", or "Low". (The query I run to view "High" signatures looks for "Threat Severity" 'critical'.)

       

      So then how do you query for HIPS events that are specifically rated "Medium" and exclude "High" or "Low" events?

       

      Thanks

       

      PG