RSA Admin

Help with correlation rule

Discussion created by RSA Admin Employee on Aug 7, 2008
Latest reply on Aug 7, 2008 by RSA Admin

Hi All,

 

i'm still new to the correlation rules and i need a little help, i have 2 questions:

 

1st - i don't understand the concept of the multi-threading option in the correlation, when, how and why should i use it?

 

2nd - i need to write a correlation that counts 50 times the same type of events for the same user - lets say for example a correlation that counts 50 pre-authentication (windows machine) faliures in one hour.

 

basicly what i've done is: created a first circle that catch the 1st event and set a cache var on the user name

than a second circle that catch the event again compares the manged cache with filed "username". the problem is that instead of 50 events for the same user i get the correlation fired up for 2 events. i also tried to put a count in the 1st circle that saying "consider if 50 events in 3600 seconds" - that didn't worked well for me either - what am i doing worng?

please advise

Outcomes