I've another question, is it possible with envision to create a correlation rule to determine when a device send more log than usual?
Generally a Bluecoat device send 40 messages each minutes per day each week.
But one day, we receive 400 messages.
So it's not a normal way, and I would like to trigger an alert.
I tried this:
Create a correlation rules
Create a circuit
Create a statement
In this statement I monitore the Nic device itself
I monitore the event id 508100
And I create a treshold of 40% per minute Baseline.
But It's seems that this correlation rules trigger all the time
I'm in the right direction???