This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-08-07 05:06 AM

Help with correlation rule

Hi All,

 

i'm still new to the correlation rules and i need a little help, i have 2 questions:

 

1st - i don't understand the concept of the multi-threading option in the correlation, when, how and why should i use it?

 

2nd - i need to write a correlation that counts 50 times the same type of events for the same user - lets say for example a correlation that counts 50 pre-authentication (windows machine) faliures in one hour.

 

basicly what i've done is: created a first circle that catch the 1st event and set a cache var on the user name

than a second circle that catch the event again compares the manged cache with filed "username". the problem is that instead of 50 events for the same user i get the correlation fired up for 2 events. i also tried to put a count in the 1st circle that saying "consider if 50 events in 3600 seconds" - that didn't worked well for me either - what am i doing worng?

please advise

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2008-08-07 11:03 AM

All multithreading does is allow you to launch multiple instances of the same correlation rule based off of differentiation in the content of one or more variables.

 

Your question in #2 is a perfect case for multithreading example.  You want each instance of your rule to be based off of a particular username, so you would set up multithreading to key off of the username variable.  This way, anytime you received an event where the username was different from the original (or subsequently received), a new thread, or "instance", of the rule would be kicked off.

 

I'm also attaching a finely-aged document describing how multithreading is set up in the XML of the rules.

Message Edited by MattMarchand on08-07-200811:34 AM
Preview file
50 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-07 12:48 PM

Hi,

 

thanks for the quick response it almost gave me a full answer only question now is how can i control the exact amount of count to pass before the correlation will fire up - i.e exactly 50 / 3 / 10 events ...

thanks in advance

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-07 01:00 PM

Just set a threshold at the statement level - 50 events within whatever time period you are using.

 

Just make sure the decay time slightly exceeds the length of time set in your threshold.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-07 01:08 PM

Great thanks a bounch,

one last question - sorry for the ignurrance, but should i put the treshold in the statment of the 1st circle or in the statment of the second circle where i compare the cache (and comming to think of it do i really need the cache var if i'm using the multi-thread option?)

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-07 01:14 PM

An astute observation on your part: you do not need the second circuit anymore, and consequently no cache variable.

 

If you wish to continue using it the way you have it currently set up, you would put the threshold in the second circuit - but I would recommend simplifying the rule and using a single circuit.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-07 01:18 PM

Thanks a lot Matt,

it really clearified my understanding of the correlation rules building.

cheers :smileyhappy:

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.