1 Reply Latest reply on Jan 27, 2016 2:43 PM by nicole pauls

    Brief duration event correlation

    ttl

      How would one go about creating a rule that alerts if a user account is created, then deleted before a certain amount of time has passed (e.g. 24 hours) ?

        • Re: Brief duration event correlation
          nicole pauls

          It would probably look like:

           

          NewDomainMember EXISTS

          AND DeleteDomainMember EXISTS

          AND NewDomainMember.DestinationAccount = DeleteDomainMember.DestinationAccount

          within time/response window 24 hours

           

          (The first two lines with the EXISTS are redundant to the third but help you see what's going on.)

           

          The downside of this is you expand your global response window to whatever that period is (24 hours), which means your appliance might hold onto more data longer in memory. To test it I'd set the time period short and see how it works.