2 Replies Latest reply on Mar 20, 2013 8:12 AM by martindl76

    "Response Window", I Think I Know?

    martindl76

      Ok, I have to admit that I don't know it all, a recent reading of Socarates has convinced me of my lack of knowledge. My question to you all is....what EXACTLY does response window do? I understand "correlation time" but "response window" is hard for me to grab. I have been unsuccessful at finding decent documentation on its description in terms that I can understand. I know that it must be greater than or equal to the correlation time most of the time.....help anyone? Please.....

        • Re: "Response Window", I Think I Know?
          nicole pauls

          Response window is especially relevant for two things:

          1. Correlating MULTIPLE types of events with each other.
            1. Response window says "these events need to happen within this period of time to each other"
            2. or in the case of a not exists rule, "if you haven't seen this event after waiting this period of time since the other event, something has happened"
          2. Making sure real-time events are only correlated with other real-time events
            1. Response window says "this event is 5 minutes old or 5 minutes in the future, this doesn't make sense, I don't want to raise alarm bells"

           

          Correlation time says: these multiple events (in this grouping, whether that's an inner grouping or the correlation in general) all need to happen X times in Y seconds.

           

          Response window says: ALL of the events in the ENTIRE correlation rule need to happen within Y minutes of real-time.

          2 of 2 people found this helpful