The Count Context finds recurring patterns in traffic by counting how many times certain Situations occur within the defined period. Action can then be taken if the threshold values you set are exceeded.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Browse to the Situations you want to count in the left pane and drag and drop them to the
Correlated Situations field.
Note: In custom Correlation Situations, logging might be automatically enabled for the correlated Situations even if the correlated Situations do not normally have logging enabled. If the Situations produce a large amount of log data and correlation is done on the Log Server, the increased amount of log data might overload the network or the Log Server even if no correlation matches occur.
-
Enter the
Time Window Size in seconds. All events must occur during this length of time for the Correlation Situation to match.
-
Enter the
Alarm Threshold number. This is the number of times that the event must occur for the Correlation Situation to match.
-
Select a
Log Fields Enabled option.
-
Double-click the
Event Binding field and select the Event Binding that is used by the matching option you selected in the previous step.
-
(Optional) Select the Usage Context to define where correlation is done.
Note: If you select a Usage Context that does not include the Log Server, events only match if they are all detected by the same NGFW Engine or NGFW Engine Cluster.