This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
BalazsImre
New Contributor
New Contributor
‎2009-10-06 09:18 AM

correlated alert based on preceding event happend

Hi, 

 

How would you create a correlation rule which alerts on events that should have had a preceding event, I mean a user is accessing some resources (event1) without having a login event (event0) received before.

 

Thanks,

Balazs

0 Likes
Reply
2 Replies
AnkushBaveja
Employee
Employee
‎2009-10-06 10:01 AM

I have not tried this but i hope this should work

 

create a statement filter and specify the threshold as "consider if no events come within x seconds", specify the event0 you are looking for.

 

After this create a new statement filter

specify the event1 here.

 

Then in the Add/Modify Circuit Definition window specify the operator b/w statement1 and statement2 as    "followed by".

 

0 Likes
Reply
BalazsImre
New Contributor
New Contributor
In response to AnkushBaveja
‎2009-10-07 04:23 AM

Hello abaveja,

 

Sounds good to me will try this afternoon and let you know if it works.

 

Kind regards,

Balazs

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.