This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2012-01-04 10:04 AM

Decay Time

Hi All, Please explain the Use of Decay time in Correlation rule.
0 Likes
Reply
7 Replies
RSAAdmin
Beginner
Beginner
‎2012-01-04 10:10 AM

Decay Time is an overall "Time to Live" for the rule. If all the criteria of the rule are not met within the defined decay time, the running instance of the rule will expire and no alert will be generated. The Decay Time must be set to slightly exceed the span of all other timers built into the rule -so for example if you have a threshold built into the rule that looks for a sequence of events to happen in 60 seconds, you must set your decay time to be 61 seconds or more.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-06 06:08 AM

Thanks Matt. I have a doubt on this.... Please consider the below example and provide your comments. For a rule if a condition is 5 events in 60 mins... decay time 61 mins.. For example: from 9:30 to 10:30 we have 4 events(9:30, 9:40,9:55,10:30) and other 2 events at 10:35 and 10:40. Will the alert trigger for this since alert criteria is met from 9:40 to 10:40... If yes, how the decay time will function in maintaining the events...
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-06 08:20 AM

No, it would not trigger. The decay timer starts ticking based based on the first matching event for that instance of the rule. Although events #2-6 constitute what would have been successful criteria for the alert, events #1-5 did not.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-06 08:29 AM

Hi Matt, You mean to say even if the criteria met and alert will not trigger for events from 2-6.... As my rule should fire 5 events in 1 hour... What will be the resolution for above case... Regards, Vel
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-06 08:41 AM

Correct. Although you do have an actual sequence of 5 events that did occur within a 1 hour timeframe, because the decay time triggers off of the first event no alert will fire (the rule expires before we ever get to event #5). What you are asking for is a perpetual start of a new decay timer every time a matching event is triggered, effectively launching an instance of a rule for every event. If you require this functionality, I would contact support and make an enhancement request.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-01-06 08:57 AM

Thanks...
0 Likes
Reply
DavidYoslov
Beginner
Beginner
In response to RSAAdmin
‎2012-01-25 05:58 PM

Velm, let me know if you have an RFE for this.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.