Home

Results 1 to 7 of 7

Thread: Clear queue correlation buffer after action is triggered

  1. #1
    Join Date
    Feb 2010
    Posts
    22

    Clear queue correlation buffer after action is triggered


    Hello,

    We are developing a custom action and we are facing the following
    problem:

    The correlation rule waits for too similar events within 2 minutes. When
    2 events occur in less than 2 minutes, action is triggered. However, if
    a 3rd event occurs in less than 2 minutes after the second one, the
    action is triggered again. We need this not to happen.

    Is there a way to clear the correlation buffer after action is
    triggered?

    Thanks in advance


    --
    mmarchese
    ------------------------------------------------------------------------
    mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
    View this thread: https://forums.netiq.com/showthread.php?t=53742


  2. #2

    Re: Clear queue correlation buffer after action is triggered

    There is a setting on every Correlation Rule that lets you determine how
    long, after an event fires, the rule will wait until it fires again. It's
    under the right-hand panel where you can also set actions, as I recall, in
    7.3, and is part of the 'Action Execution Criteria'.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Sep 2008
    Posts
    20

    Re: Clear queue correlation buffer after action is triggered


    But in that case, does it evaluate the "group by" criteria ? If a rule
    groups by username and diferent users reach the correlation conditions
    before the waiting time is complete.

    I can give an example if you need.


    ab;258319 Wrote:
    > There is a setting on every Correlation Rule that lets you determine
    > how
    > long, after an event fires, the rule will wait until it fires again.
    > It's
    > under the right-hand panel where you can also set actions, as I recall,
    > in
    > 7.3, and is part of the 'Action Execution Criteria'.
    >
    > --
    > Good luck.
    >
    > If you find this post helpful and are logged into the web interface,
    > show your appreciation and click on the star below...



    --
    cnrossi
    ------------------------------------------------------------------------
    cnrossi's Profile: https://forums.netiq.com/member.php?userid=937
    View this thread: https://forums.netiq.com/showthread.php?t=53742


  4. #4

    Re: Clear queue correlation buffer after action is triggered

    This came up somewhere recently, and I think the answer was 'yes', but I
    have not tested it lately myself.

    If not, using Alerting may be another way to have the same result, as an
    alert should group by fields that make sense (and you can customize them)
    and then multiple events could roll up into a singe alert (assuming
    Sentinel 7.3 when the new Alerts were introduced).

    Another option may be to have an action from your rule insert the
    discriminated-upon data into a dynamic list, and then have your
    correlation rule logic test for that value in the dynamic list. If there,
    do not fire. Dynamic list values can have expirations, so after some
    period of time (an hour) they automatically go away.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  5. #5
    Join Date
    Feb 2010
    Posts
    22

    Re: Clear queue correlation buffer after action is triggered


    Hi ab,

    Which will be the best way to manage dynamic list items from inside a
    custom action? Is there any example?

    Thanks in advance

    ab;258323 Wrote:
    > This came up somewhere recently, and I think the answer was 'yes', but
    > I
    > have not tested it lately myself.
    >
    > If not, using Alerting may be another way to have the same result, as
    > an
    > alert should group by fields that make sense (and you can customize
    > them)
    > and then multiple events could roll up into a singe alert (assuming
    > Sentinel 7.3 when the new Alerts were introduced).
    >
    > Another option may be to have an action from your rule insert the
    > discriminated-upon data into a dynamic list, and then have your
    > correlation rule logic test for that value in the dynamic list. If
    > there,
    > do not fire. Dynamic list values can have expirations, so after some
    > period of time (an hour) they automatically go away.
    >
    > --
    > Good luck.
    >
    > If you find this post helpful and are logged into the web interface,
    > show your appreciation and click on the star below...



    --
    mmarchese
    ------------------------------------------------------------------------
    mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
    View this thread: https://forums.netiq.com/showthread.php?t=53742


  6. #6

    Re: Clear queue correlation buffer after action is triggered

    Some of the default, but maybe not deployed, correlation rules use Dynamic
    lists. Looking just now I found the Write to Map action, which may
    interest you:

    Documentation link:
    https://www.netiq.com/support/sentin...p_2011.1r2.pdf

    This should already be present within Sentinel, but you may need to tweak
    it for your own uses (I have not tried).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  7. #7
    Join Date
    Sep 2008
    Posts
    20

    Re: Clear queue correlation buffer after action is triggered


    Hi ab, we have tried your last suggestion (add processed events to a
    dynamic list and check at the correlation rule that eventId not in that
    dynamic list) but it doesn't work if you trigger several events in a
    very short period of time. Maybe it is a race-condition problem. What we
    are doing right now is checking it at the correlation rule level and
    also at the begining of the Action logic. The problem is that the
    correlation rule is triggered (and logged) but sometimes no action is
    taken. I guess it is a very simple use case like "notify me every each
    group of X events of that type" where the trigger is the count() inside
    a time frame.


    --
    cnrossi
    ------------------------------------------------------------------------
    cnrossi's Profile: https://forums.netiq.com/member.php?userid=937
    View this thread: https://forums.netiq.com/showthread.php?t=53742


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •