1 Reply Latest reply on Jan 14, 2013 9:06 PM by nicole pauls

    Create rule, correlation time trigger on less than number of events within time specified.

    dhenderson

      I am trying to figure out if this is possible, currently do not believe it is.

       

      What I am trying to do is create a rule to produce an email alert action, or send an SNMP alert based on LEM receiving under a specified number of Events for a specified tool alias within a given time. From what I can see it appears that setting the correlation time number of events is only a greater than or equal to conditional statement set for the specified time.

       

      Is this correct, or am I missing something?

        • Re: Create rule, correlation time trigger on less than number of events within time specified.
          nicole pauls

          That's correct, correlations are real-time and based on hitting a threshold. We've considered adding more historical/behavioral thresholds as well and/or the ability to alert from a search which would accomplish the same goal, which we don't have right now.

           

          The best we could do is:

          Event A exists (even 2 of them)

          Event B does not exist

          within 5 minutes

           

          Fire trap/send email.

           

          That basically says if you see Event A (or a # of event As) but you don't see event B within 5 minutes of Event A, something is wrong and you should send an email. It's really the number of SAME alerts that's the problem with what you're trying to do, we don't have a way to distinguish them the way it's modeled.