Looking to create a special Correlated rule
I am using Microsoft Forefront Client Security and I have events that get generated (Message ID 3004:01) when a Virus is found. There may be multiple events for these. Eventually I see an event (Message ID 3005) that represents the successful removal of the virus. Common fields are hostname, virus name.
I would like to create an alert to fire when a virus is not removed.
So there may be several virus found events generated for the same virus but it will be followed by 1 removed event.
I am struggling with creating a correlated rule as I am looking for events followed by no event for say 10 minutes.....
Any Suggestions are very much appreciated.
You need to create a correlation rule with two circuits:
* Circuit 1: will look for 10 events with message ID 3004:01 coming from MS Forefront Client Security
* Circuit 2: will look for event 3005 coming from MS Forefront Client Security.
Now to apply the "Not Followed by" relationship between the two circuits, you can use the operator "And not" along with your desired time period. Finally, you have to mulithread on both variables, hostname and virusname to make sure you are dealing with the same virus on the same host.
Hi .. i wanted to integrate FEP 2010 with Envision , can you tell me what is the avg EPS you are getting so that i can do a cpacity planning accordingly ..