2 of 2 people found this helpful
Okay, so the option to embed YouTube is gone...that's a new feature?
At any rate, here's a video of me explaining a few methods to make a "fire once" rule:
Correlation Time is the purple box, and it has two values and a secret button.
The first value is "X events in Y [time frame]" and is used to tell the LEM "This rule should only fire if the correlation conditions (the blue box) returns TRUE X times in Y [time]." That way, you can have an alert that isn't just "a bad password" but "the third bad password in 5 minutes."
The second value is "Response time" which is to say, "If the events that made the blue box TRUE and met the condition of X times in Y [time] are more than Z [time frame] old, don't bother firing the rule." Say that you have an Agent installed on a laptop for a travelling user. It's collecting events and caching them because they're at Holiday Inn and not connected to your network and LEM. They struggle to type their password correctly after a six martini dinner with a client, and get it wrong a few times. Days later, they get back on the network and LEM gets all the cached events. Because those events are more than Z [time frame] old, the LEM does not fire the related rules.
There is a little gear that lights up in the purple box anytime X is greater than 1, which allows you to specify things like "If the 3 bad passwords are all against the same account," or "If the TCP ports for those 10 events are all unique."
Hope that helps!
Thanks, Curtis. Very helpful. Watched some of your other videos while I was there, too.