RSA enVision^® Discussions

RSAAdmin · ‎2012-04-27

hi, I need to configure a correlated alert for denied connections on firewall from a single source IP where threshold is 2000 connections denied in 5 minutes. I made the rule but the o/p is not coming correctly. how to define filter or cache and multithreading in this rule for a single source IP.

RSAAdmin · ‎2012-04-28

You need to multithread on the source ip to have the rule monitor 2000 events for same source IP

RSAAdmin · ‎2012-04-28

Hi sreejith, But, by default multithreading shows only envision site, envision device IP address and envision collection node. In order to multithread on sourceaddress, i need to put some filter i guess. One more thing i wud like to ask that only 1 circuit and 1 statement is enough for creating this rule.

RSAAdmin · ‎2012-04-28

You need to make sure your event set configuration contains only the needed events. Multithreading page displays common variables among the events configured in statement page. So if you configure events appropriately which contain source address variable, you will be able to see source address in multithreading page. And yes you can configure this rule using one circuit and statement if the eventset configured makes source IP available in multithreading page.

RSAAdmin · ‎2012-05-03

It works. Thx a lot sreejith..........

RSA enVision® Discussions

correlation rule

RSA enVision^® Discussions