RSA Admin

Threshold problems

Discussion created by RSA Admin Employee on Jun 21, 2012
Latest reply on Jun 28, 2012 by RSA Admin

Hi, I am trying to set up a very simple correlated alert to try and get my head around basic concepts. All I want is for an alert to be sent when 5 failed authentication attempts to enVision itself occur within 1 minute.

 

I have one circuit, which contains just one statement. That statement matches on the NIC System event with event ID 800015. It has a threshold set for 5 events within 60 seconds. The correlated alert rule has a decay time of 61 seconds. The view which uses this correlated rule has no multi-threading, no cache variables, and no threshold set on the view itself.

 

The problem is that each time a failed login occurs an alert gets generated. The threshold seems to do nothing. Even when I wait 5 minutes, fail authentication once then leave it, one alert gets created. I just don't understand the logic in enVision's alerting configuration at all. Why does it have to be so hard? Thanks, Mark.

Outcomes