Identify how the Log Inspection (LI) rule is chosen if there are multiple rules with the same sort order that match a single log.
If there are multiple LI rules with similar sort order that match to a single log, Deep Security will follow the LogInspectionRule ID. The LI rule with the lower LogInspectionRule ID will be chosen.
Note that the LogInspectionRule ID is different from the Rule ID in the customized rule properties. The LogInspectionRule ID is the rule's ID in the database, which you can view in the exported XML of a rule.
For example, if you created three (3) custom rules with same content, their LogInspectionRule ID will still be different because of their creation sequence. Below are the sample rules (2, 3, and 3-new). Given the scenario that all these three rules simultaneously exist, the events will always hit the Rule 2.