I am trouble shooting a Join Rule condition that joins a Correlation event with a base event based on a condition and the rule would not fire. Just wanted to confirm my assumption. If anyone has any thoughts, please advise.
One of the event sources for the rule to fire is batched up and arrived into the Manager with a time lag. Say Manager Receipt Time is 15 minutes after the Event End Time. I am having difficulty aggregatng this event source with an other base event which is near real time ( with a minute of the MRT of the lagging event)
So, my assumption is that the rule did not fire because the Aggregation is based on the End Time timestamp for events and given there is a 15 min lag for the 2 events in their END time, it did not satisfy the 1 Match in 1 Minute Aggregation.
When you do a join rule you have to provide a match timeframe so your timeframe would need to take this into consideration. I try to avoid join rules if at all possible they use alot of resources especially as you increase the timeframe.
Have you considered using two rules and an active list. Have your first conditon rule fire on a match and then add an entry to an active list based on something for example sourceAddress. Have your second rule check to see if the IP is in the active list and also matches the conditions that you would have had in the second part of your join rule if both conditions are true then fire your second rule. Provide a reasonable timeframe for your active list experation and you should be good. I would use a lightweight rule for your first rule as well.