Count occurrences of particular event repeated over a short period time.
This evolution is meant to add the possibility to aggregate alerts easier.
Add a field (Integer) counter in Alert Class
|Impacted Class||Proposed Field||Type|
Meetings:¶: Counting occurrences may be useful in two situations :
- To count events occurring repeatedly over a short period of time. This may need to define what a short period of time is. In this case the counter should be linked to the duration of the attack. The counter should also be placed near the original log.
- To count alerts in a correlation alert. This should be an attribute in a Correlation Alert.
YV: To be discussed.
VH: The counter is considered being set when the alert is created which avoids problems with the alerts being changed over time.
- Non pertinent -> CorrelationAlert.