Views:

If there are multiple LI rules with similar sort order that match to a single log, Deep Security will follow the LogInspectionRule ID. The LI rule with the lower LogInspectionRule ID will be chosen.

Note that the LogInspectionRule ID is different from the Rule ID in the customized rule properties. The LogInspectionRule ID is the rule's ID in the database, which you can view in the exported XML of a rule.

Export a rule to XML file to view its LogInspectionRule ID

For example, if you created three (3) custom rules with same content, their LogInspectionRule ID will still be different because of their creation sequence. Below are the sample rules (2, 3, and 3-new). Given the scenario that all these three rules simultaneously exist, the events will always hit the Rule 2.

Rule 2

Rule 2

Rule 3

Rule 3

Rule 3-new

Rule 3-new

Keywords: defining sort order,SortOrder inspection rules,configure sortorder,specify sequence of log rules,sorting log inspect rules,setting which rules to implement first,applying rules in particular order,prioritizing log inspection rule