This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-09-02 12:56 PM

Creating Rule for Event Increase of Device/Device Group

- If the baseline is for a devicegroup will it look at cumulative baseline for the entire devicegroup?

- Is there an easy way to do the baseline for each device without creating seperate OR statements for each device?

- How is hourly average calculated?

Preview file
1 KB
0 Likes
Reply
9 Replies
RSAAdmin
Beginner
Beginner
‎2011-09-02 02:02 PM

When you said that the rue seems to trigger on source IP baseline, was that because you are using a filter for the source IP addresses? 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:03 PM

No
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:10 PM

Can you please post the entire rule XML?  It will make it easier for us to evaluate what is going on that way.

 

Paul

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:17 PM

See attached

Preview file
1 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:28 PM

Thanks...How do you know that it is triggering based on source IP address and not on the number of events?  There are 201 message IDs that are in Network.Connections and Network.Denied Connections.  Is it just that you keep getting one message from an individual source IP that for some reason has lots of activity making it appear that it is triggering on source IP?

 

Paul

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:58 PM

The attached rule should be implementing the logic you described, As Paul said earlier it could be that you are receiving alerts from only one IP address

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-02 02:59 PM

We are receiving multiple alerts from different ips within the hour timeframe.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-03 08:06 AM

Remember that you only see the last message that caused the alert to be generated.  What this means is that you went up over the 60% mark more than once in the hour.  Let's say the baseline starts at 100...it means it hit 160 and then it hit 176, etc.  I have always found the baselining to be somewhat odd to implement...it should settle down over time and then you should see less number of alerts being generated in an hour until you restart the view or alert and then it will do something similar again.

 

Paul

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-06 09:40 AM

- If the baseline is for a devicegroup will it look at cumulative baseline for the entire devicegroup?

- Is there an easy way to do the baseline for each device without creating seperate OR statements for each device?

- How is hourly average calculated?

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.