I have the same question/issue. The Correlation Time box needs better explanation. Alerts Within is very obvious. The Response Window however is what mystifies me. Re-Inference Time is rather vague and google is not much help.
1 of 1 people found this helpful
Okay! Correlation box 101:
The "X events in Y" is easy: the LEM will wait for the correlation conditions to be "TRUE" X times in Y time frame before firing.
Response Window is "If the events are more than Z time from the present, then don't bother to take the actions." So, you have a network segment get disconnected. Workstations and servers on the far side are throwing errors because of this. It takes you 12 hours to get your ISP to fix things. The LEM agents on the far side of the break were logging events and caching them for 12 hours, and once the connection is restored, they start sending all of that information to the LEM. Maybe in those 12 hours you had a million events that would usually result in an e-mail, but because your response window is 5 or 10 minutes, the LEM doesn't DOS your Exchange server.
If the "X" events is greater than 1, you can get at the advanced correlation options with this gear:
This opens the Advanced Thresholds window:
Here you can set things like "I need 10 events, but the source IP needs to be the same on all 10 and the destination port needs to be different on all 10." You can also play with the "Re-Infer (TOT)" options. This is where we get into "Correlation Box 201."
TOT stands for "Time Over Threshold." Your threshold is the X events in Y seconds. So, say that you have a rule looking for pings, and will trigger if it gets 10 in 30 seconds. Some source starts pinging your network once a second.
Second 1: LEM sees 1 ping
Second 2: LEM sees 2 pings
Second 10: LEM sees 10 pings - RULE FIRES!
Second 11: LEM sees 11 pings
Second 12: LEM sees 12 pings
Second 30: LEM sees 30 pings
Second 31: LEM sees 31 pings
At no point do the pings let up, so we're "Over Threshold" and the rule doesn't re-fire. The Re-Infer (TOT) setting says, "If you're still over threshold X time later, FIRE THE RULE AGAIN!"
I hope that helps.
This is perfect! I wish it had been in the documentation. It makes perfect sense of a complex but necessary set of logic.