This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

"Response Window", I Think I Know?

Ok, I have to admit that I don't know it all, a recent reading of Socarates has convinced me of my lack of knowledge. My question to you all is....what EXACTLY does response window do? I understand "correlation time" but "response window" is hard for me to grab. I have been unsuccessful at finding decent documentation on its description in terms that I can understand. I know that it must be greater than or equal to the correlation time most of the time.....help anyone? Please.....

  • FormerMember
    0 FormerMember

    Response window is especially relevant for two things:

    1. Correlating MULTIPLE types of events with each other.
      1. Response window says "these events need to happen within this period of time to each other"
      2. or in the case of a not exists rule, "if you haven't seen this event after waiting this period of time since the other event, something has happened"
    2. Making sure real-time events are only correlated with other real-time events
      1. Response window says "this event is 5 minutes old or 5 minutes in the future, this doesn't make sense, I don't want to raise alarm bells"

    Correlation time says: these multiple events (in this grouping, whether that's an inner grouping or the correlation in general) all need to happen X times in Y seconds.

    Response window says: ALL of the events in the ENTIRE correlation rule need to happen within Y minutes of real-time.

  • Now I know, and knowing is half the battle....