000013628 - What is the difference between 'IP address matching' and 'Threshold  \Consider if X events come in within Y seconds' correlated rule

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013628
Applies ToenVision Core 4.x
IssueWhat is the difference between "Ip address matching" and "Threshold  \Consider if X events come in within Y seconds" correlated rule
Resolution 

For "IP Address matching" enVision checks the circuits in the Correlation Rule Logic only when the IP address matching criteria is met. For "Threshold Definitions" Event thresholds can be defined in terms of the following:

A specific number of events are received within a specified time period.

The total number of events received is either greater than or less than either the selected event average or event baseline

The absence of events being received. If you normally receive a specific message and you do not receive one for a user-specified period of time, this constitutes an alert. (This threshold definition is only used for correlation statements.)

If you want to consider every event received for that message as an alert, then no threshold is set.

Each time a threshold is met within the time frame enVision issues 1 alert, and resets the event count for the threshold. For example, depending on how you set up the threshold criteria, if the threshold criteria is met 3 times during an hour, enVision issues 3 alerts.

Legacy Article IDa44022

Attachments

    Outcomes