Differences among Cache Variable & Multi Threading
Can someone help me upon Cache Variable & Multi Threading concept along with a Scenario/Example. Thanks in advance.
If i am not wrong,
For example Multi threading we will use in "Multiple login failures" to filter the usernames by matching with the existed statemets.
- Community Thread
- Forum Thread
- RSA enVision
Its very difficult to get some information about RSA Envision by googling. We can easily get some assistance upon other products like ArcSight..etc.. What a crap.........
Yes Multi threading mainly deals with the count of message and is usefull in many ways for example you can define the alert on a perticular number of occurence of an event which reduce the overload of you mail server as well.
Cache is the veriable which you can use in a situation where you have an unknown input and you have to compare it, for examle if you want to see the traffic from an external IP you can configuer an alert on IDS logs for all the IPs except internal range then if you want to further investigate where this IP has reached or what all devices were affected by this IP then you can keep this IP in cache and search it in other device logs if it matches some where you will get an alert.
yes that is right and in addition some usefull content regarding Multi-threading
When you click on multi-threading, enVision will check if there are
any common parameters out of all the messages you are monitoring in the
correlation rule. By default there will be 3 default one which you can check:
- enVision device IP - The IP address as shown in manage monitored
- enVision site
- enVision collection node
In short the usage of multi-threading in correlation rule allows us
to separate the logs collection according to your multi-threading conditions
(e.g: device IP, enVision site etc). Thus, if you use multi-threading and
select envision device IP, it will create a thread each for your monitored
device, i.e: if you have 10 checkpoint FW device, it will create 10 threads.
Then each thread will monitor the logs associate with its manage
monitored device, and compare to the conditions set in the correlation rule. If
any thread finds its logs have fulfil the correlation rule conditions, it will
trigger the alert. However, the logs collected by each threads will not be
used together when counting the number of events.
For e.g: I’ve created a correlation rule called
multiple_attacks_to_a_FW. It has multi-threading set to use envision device IP.
This alert will monitor all my checkpoint devices, and specifically any
messages of the type Network.connections.successful. In addition, the condition
is if there are more than 10 events / logs collected in 60 seconds of this
type, it will trigger the alert
Then in the my log files,I have 2 set of logs related to 3
checkpoint devices, 10.32.28.177, 10.10.50.40 and 10.10.50.32. Note that all of
the logs are belong to the type “Network.connections.successful”
In 1st set of logs, there is 1 log for 10.32.28.177, 9 logs for
10.10.50.40 and 9 logs for 10.10.50.32. Under our rule set up, this set of logs
will not trigger any alert because none of the 3 threads is able to collect 10
logs within the time frame .
Then in 2nd set of logs, there are 1 log for 10.32.28.177, 10
logs for 10.10.50.40 and 8 logs for 10.10.50.40. Under our rule set
up, this set of logs will trigger alert for 10.10.50.40, as the thread
associated with this appears is able to collect 10 logs within the time frame.
To conclude, If multi-threading is not enable in here, both 1st and
2nd set of logs will trigger alerts because these messages will be collected by
a single thread, and this threads are able to pick up enough logs to trigger an
So we can see by using multi-threading, it can trigger alert based
on specifics device IP only, but at the same time have the ability to monitor
all the IP at once.