i'm still new to the correlation rules and i need a little help, i have 2 questions:
1st - i don't understand the concept of the multi-threading option in the correlation, when, how and why should i use it?
2nd - i need to write a correlation that counts 50 times the same type of events for the same user - lets say for example a correlation that counts 50 pre-authentication (windows machine) faliures in one hour.
basicly what i've done is: created a first circle that catch the 1st event and set a cache var on the user name
than a second circle that catch the event again compares the manged cache with filed "username". the problem is that instead of 50 events for the same user i get the correlation fired up for 2 events. i also tried to put a count in the 1st circle that saying "consider if 50 events in 3600 seconds" - that didn't worked well for me either - what am i doing worng?