RSA Admin

Statistics Overflooding

Discussion created by RSA Admin Employee on Jan 17, 2010
Latest reply on Jan 18, 2010 by RSA Admin

Hi,

 

i'm getting a little tired of this but no matter what i do in every way that i'm configuring envision to fire up an alert of X precents incresing of events i'm getting thousends of events.

 

let's take a simple example:

 

 create a correlation with this statment: device group - checkpoint (provides lots of data)

treshhold - increase in 50% of hour baseline (also tried avg)

eventid * (getting all events form the devices)

 

this generates about 5000 events a week =/

 

now come to think of it - i've tried with specific eventid - same result

 

what i've noticed it that no metter what you choose as treshold envision will fire up an alert every one~three seconds which makes me think that instead of generate an alert once an hour it just compares every second the relative one hour/minute in the parelel week hence - sunday 6:am vs last sunday 6:am and the 6:00:01 vs 6:00:01 and so on..

which causing a lot of false posetives (not to mention killing my clients mailboxes.. =P  )

any idea about this?

Outcomes