AnsweredAssumed Answered

correlated rule logic investigator

Question asked by Thomas Schaub on Oct 16, 2013
Latest reply on Nov 1, 2013 by RSA Admin

Hello All -

 

Looking for some insights on how correlated rules work in NextGen...  Specifically, I have a correlated rule configured (see Figure 1) which fired at 23:05 and again at 23:11 relative to the data in Figure 2 (or, alternately, Table 1).

 

Since the high levels of activity in both the first instance (i.e. 23:05 - 23:07) and the second instance (i.e. 23:11 - 23:34) persisted for several minutes, its interesting that the rule fired only at the onset of the activity (i.e. I would have expected it to fire once for every minute the threshold was exeeded).  My guess is that the NextGen correlated rule logic is such that an alert will fire once until the condition no longer persists (in this case the number of sessions is less than 150 (which occurred at 23:08)).  Can anyone confirm this guess?  Any/all insights on correlated rule logic in NextGen is greatly appreciated.

 

Tnx in advance, Tom

 

Figure 1

70303

 

 

 

 

Figure 2

70302

 

Table 1

TimeSessions
23:0478

23:05

243
23:06403
23:07329
23:080
23:090
23:100
23:11203
23:12414
23:13413
23:14410
23:15413
...
23:34342

Outcomes