This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
VincentCheung
Beginner
Beginner
‎2011-12-21 09:47 PM

Correlation Rules for Virus Alerts

Hi all, What would be the best way to setup a correlation rule if I want to alert on say the same virus has been detected again within a week period? So if Monday virus X is detected and another X virus on Friday is detected it will generate an alert? Should it be multithreaded so it will start a new thread whenever a new virus is detected? Thanks.
0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2012-01-03 05:25 PM

I've made a correlation rule for this, more or less.  We would use it to identify something spreading on the network.  Right now it will fire if the same virus is found on 3 hosts within an hour.  It would be easy to modify it to increase the number of hosts or increase the timeframe.

 

I have attached the rule for you. 

 

Note that it uses cache variables to determine if its the same virus on different hosts, not multithreading.  The reason for this is that I like to see each of the messages that generate the alert.  If you use multi threading it will only show you the last message to cause the alert to fire which annoys me.  :smileyhappy:

 

 

Preview file
5 KB
0 Likes
Reply
VincentCheung
Beginner
Beginner
In response to RSAAdmin
‎2012-01-11 09:52 PM

Thanks!! I've put in the alert - waiting for a time to test it out.

It should work as I made an correlated alert on 3 accounts locked out within a short period using the same logic you provided.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.