cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

LEM Event Severity Filter

Jump to solution

I'm looking to grab individualized severity levels in a filter. Anyone know a way to go about this intelligently?

Ideally I'd have a user generated filter group that says "Severity" then underneath of it I would have a filter for Level 0, Level 1, Level 2, etc. (I'll be more concerned with Level 6 & 7 since apparently I'm moonlighting as a Security guy these days too - who knew?! )

OR do I need to add all Event Types and specify the Severity Field = 0 etc. and make a giant monster filter? Anyone even try this or have I gone off the deep end of the LEM diving board?

Thanks!

Labels (1)
Tags (3)
0 Kudos
1 Solution
Level 9

This is what I have to trap events with the severity levels higher than 4. Pretty simple. But then you have to realize what information is being pulled into LEM in your case. I have some firewalls reporting to it and those have different severity levels of their own that do not match the levels assigned to them by LEM.

In many cases you can be very specific about the events you want to be informed based on their severity levels, if LEM allows that event's severity information to be used in the condition for a rule\filter.

severety levels.JPG

View solution in original post

2 Replies
Level 9

This is what I have to trap events with the severity levels higher than 4. Pretty simple. But then you have to realize what information is being pulled into LEM in your case. I have some firewalls reporting to it and those have different severity levels of their own that do not match the levels assigned to them by LEM.

In many cases you can be very specific about the events you want to be informed based on their severity levels, if LEM allows that event's severity information to be used in the condition for a rule\filter.

severety levels.JPG

View solution in original post

Winner Winner (Food of choice that you get yourself) Dinner! Thanks! That's pretty sweet.

0 Kudos