Setting Registers <1 Minute
The need to do this has surfaced several times over the past year--posting the workaround here for reference.
If you've ever tried to set a register for less than 1 minute, you'll find the UI doesn't allow it. However, it is possible to evaluate activity in less than a minute, using two rules.
Set your necessary condition(s), then set a register against whatever you're tracking (likely user or IP). For register value, collect time(). This is time in milliseconds since epoch (see documentation). For example:
Register type: user
Register name: user_time_start
Register value: time()
Expires: variable...1 minute would work
Set your condition, and use a little math to compare time now with time captured in the register in rule #1:
(time() - user.register('user_time_start'))<20000 // this checks for rule condition(s) within 20 seconds of register set in rule #1.
- Community Thread
- Forum Thread
- RSA Web Threat Detection
- Rules Library
- Web Threat Detection