RSA Admin

Looking to create a special Correlated rule

Discussion created by RSA Admin Employee on Jan 6, 2011
Latest reply on Oct 2, 2012 by anuragmal

I am using Microsoft Forefront Client Security and I have events that get generated (Message ID 3004:01) when a Virus is found.  There may be multiple events for these.  Eventually I see an event (Message ID 3005) that represents the successful removal of the virus.   Common fields are hostname, virus name. 


I would like to create an alert to fire when a virus is not removed.


So there may be several virus found events generated for the same virus but it will be followed by 1 removed  event.


I am struggling with creating a correlated rule as I am looking for events followed by no event for say 10 minutes.....


Any Suggestions are very much appreciated.