RSA Admin

Create a rule to monitore anormal increase of logs

Discussion created by RSA Admin Employee on Oct 21, 2009
Latest reply on Nov 9, 2009 by RSA Admin

Hello all,

 

I've another question, is it possible with envision to create a correlation rule to determine when a device send more log than usual?

 

For example:

 

Generally a Bluecoat device send 40 messages each minutes per day each week.

 

But one day, we receive 400 messages.

 

So it's not a normal way, and I would like to trigger an alert.

 

I tried this:

 

Create a correlation rules

Create a circuit

Create a statement

In this statement I monitore the Nic device itself

I monitore the event id 508100

And I create a treshold of 40% per minute Baseline.

 

But It's seems that this correlation rules trigger all the time :smileysad:

 

I'm in the right direction???

Outcomes