This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-06-11 01:59 PM

Multi-Thread and Baseline Threshold

Has anybody tried using/creating a correlated rule that uses the baseline threshold and multi-threading on a particular variable (dport, sport, laddr, sadd, etc) in the field? Is this possible to alert on a percentage deviation from a min/hour/day baseline?

 

Any input would greatly be appreciated?

 

Thanks

Hov

0 Likes
Reply
8 Replies
RSAAdmin
Beginner
Beginner
‎2008-06-20 01:18 PM

Hi Hov,

Thanks for your message posting. I'm investigating with some of the engineers and one of us will post a response shortly.

Best,

Debbie

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2008-06-24 11:58 PM

i also would like to know if you can include filtered logs like count = 0 or not a particular laddr. create as it were 'custom' baselines.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-28 01:33 PM

Hi - has engineering come back with a response on this? - It's been over a month since the initial posting.

 

Also - This ability is critical to allow customers to use a single alert to baseline multiple variables - thus getting a much greater ROI out of each alert created (@ 64 views per Admin Server).

 

Thanks for your assistance with this!

 

Regards,


Ed

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-31 01:12 PM

In the current implementation of RSA enVision, the event baseline count is generated for the number of events received for a given message (e.g. message id) for a specific period of time. This count generation is independent of a correlation rule and as such the multi-threading capability (e.g. parameterizing the count by message variable) does not apply to this feature.

 

 

The capability to generate baselines based upon message variable content has been captured as an enhancement request and will be considered for a future RSA enVision roadmap and release definition.

Message Edited by andyS on07-31-200801:29 PM
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-08-26 02:48 PM

AndyS,

 

Was this RFE ever implemented? Based on what I'm seeing for rules in 4.0 sp2 and sp3 it was not.

 

Thanks,

Ryan

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-08-27 11:06 AM

From Envision support on this:
"..there is an existing bug/request ENV-26289.."
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-09-02 10:08 AM

Baselining on a multi-threaded variable has never worked.  I have made multiple requests going back to 2006.  It would be nice to be able to do some Anomaly Detection on things like firewalls to look for when port 80, 25, 22, 443, etc. go over x% over the baseline. 

0 Likes
Reply
GrzegorzFlak
Beginner
Beginner
In response to RSAAdmin
‎2010-09-06 02:26 AM

The most anoying thing is, that this information is already in IPDB and the only thing RSA has to do is to use it in creative way. They just need to look into "summaries" and allow us to build treshold alerts on summaries tables!  In simples possible way: query, field used as a test, treshold conditions and it is it.

Then use this alert into correlation rules .... I know, that there is delay etc, but sampling may be done in 1 minutes slices... For most cases it is enough. 

 

Regards

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.