Counters¶
Aim:¶
Count occurrences of particular event repeated over a short period time.
This evolution is meant to add the possibility to aggregate alerts easier.
Solution 1:¶
Add a field (Integer) counter in Alert Class
| Impacted Class | Proposed Field | Type |
|---|---|---|
| Alert | counter | Integer |
Pros¶
Cons¶
Meetings:¶
30/10/2015 Meeting : Counting occurrences may be useful in two situations :- To count events occurring repeatedly over a short period of time. This may need to define what a short period of time is. In this case the counter should be linked to the duration of the attack. The counter should also be placed near the original log.
- To count alerts in a correlation alert. This should be an attribute in a Correlation Alert.
YV: To be discussed.
VH: The counter is considered being set when the alert is created which avoids problems with the alerts being changed over time.
Commentaire HD/YV:
- Non pertinent -> CorrelationAlert.