Help with correlation rule
i'm still new to the correlation rules and i need a little help, i have 2 questions:
1st - i don't understand the concept of the multi-threading option in the correlation, when, how and why should i use it?
2nd - i need to write a correlation that counts 50 times the same type of events for the same user - lets say for example a correlation that counts 50 pre-authentication (windows machine) faliures in one hour.
basicly what i've done is: created a first circle that catch the 1st event and set a cache var on the user name
than a second circle that catch the event again compares the manged cache with filed "username". the problem is that instead of 50 events for the same user i get the correlation fired up for 2 events. i also tried to put a count in the 1st circle that saying "consider if 50 events in 3600 seconds" - that didn't worked well for me either - what am i doing worng?
All multithreading does is allow you to launch multiple instances of the same correlation rule based off of differentiation in the content of one or more variables.
Your question in #2 is a perfect case for multithreading example. You want each instance of your rule to be based off of a particular username, so you would set up multithreading to key off of the username variable. This way, anytime you received an event where the username was different from the original (or subsequently received), a new thread, or "instance", of the rule would be kicked off.
I'm also attaching a finely-aged document describing how multithreading is set up in the XML of the rules.
thanks for the quick response it almost gave me a full answer only question now is how can i control the exact amount of count to pass before the correlation will fire up - i.e exactly 50 / 3 / 10 events ...
thanks in advance
Just set a threshold at the statement level - 50 events within whatever time period you are using.
Just make sure the decay time slightly exceeds the length of time set in your threshold.
Great thanks a bounch,
one last question - sorry for the ignurrance, but should i put the treshold in the statment of the 1st circle or in the statment of the second circle where i compare the cache (and comming to think of it do i really need the cache var if i'm using the multi-thread option?)
An astute observation on your part: you do not need the second circuit anymore, and consequently no cache variable.
If you wish to continue using it the way you have it currently set up, you would put the threshold in the second circuit - but I would recommend simplifying the rule and using a single circuit.