I desigin one correlation rule on sentinel,the correlation event active
time late source event 30 second.example
I sent 3 event to on sentinel create one correlation event,the
correlation event time late last event 30second, how to do I can fix it!
thanks!
rule is
filter((((e.XDASTaxonomyName = "XDAS_AE_CREATE_SESSION") or
(e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT")) and
(((e.XDASOutcomeName = "XDAS_OUT_FAILURE") or (e.XDASOutcomeName =
"XDAS_OUT_DENIAL")) or (e.XDASOutcomeName =
"XDAS_OUT_INVALID_USER_CREDENTIALS")))) flow
trigger(3,100,discriminator(e.SourceIP))


--
whitesocks
------------------------------------------------------------------------
whitesocks's Profile: https://forums.netiq.com/member.php?userid=714
View this thread: https://forums.netiq.com/showthread.php?t=50553