You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>UserGuide>EventCorrelation>TutorialCreateANewDirectiveToDetectDoSAttack>Task4AddALevel3RuleToDetectTheSameEventWith1000Occurrences (29 May 2021, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Task 4: Add a Level 3 Rule to Detect the Same Event with 1000 Occurrences

This task is a repeat of Task 3. You can repeat this task as many times as necessary. In this example, we want to add another rule (level 3) to detect the same event as in the previous rule but with 1000 occurrences.

To add the level 3 rule

  1. Click the green plus (+) sign at the right side of the second rule, under the Action heading.

    The New Rule window displays.

  2. Follow step 2 to 7 in Task 3.

  3. In the Occurrence column, click "1" in the third rule, type "1000", and then click OK.

    The directive looks similar to this one

    New Rule window for adding monitor type plugin.

Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 29 May 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.