Configuring Accumulate matches
You can configure the option in the Severity & Action tab of the Custom policy wizard to accumulate matches before creating an incident.
Steps
-
To count matches, select one of the following:
- transactions: Count incident transactions as they accumulate for a given source, even though each incident can have multiple triggers.
- unique matches: Count unique matches to count violation triggers that accumulate for a source, but only triggers that are unique.If, for example, there is a rule that does not permit 10 different credit card numbers to be sent within 1 hour:
- If a user sends 1 message with 20 credit card numbers, 1 violation trigger is counted.
- If the user sends 20 email messages with the same credit card number, no triggers are counted, because the numbers were not unique.
Note that case differences are counted separately in word-related classifiers. For example, word, Word, and WORD.
- all matches: Count all matches (default) that accumulate for a source, even duplicate matches. In the example above, even if the user sent 20 messages with the same credit card number, 20 triggers are counted.
Matches and transactions are counted individually for each source, such as user name or IP address, and they are counted only on the policy engine that detects them. Incidents are generated only when the threshold is met on a single policy engine.
- Select a time period for accumulating matches. The time period is a sliding window. It resets every time a match is detected.
-
Use the The rate of matches should decline... field to specify how long the system should continue counting matches once the rate begins to decline.
As long as the system continues to detect the configured number of matches over the configured period, it continues to accumulate the matches in the same incident.
-
Use the At least field to define the threshold for triggering an incident. For example, trigger an incident when there are at least 3 matches (3 or more).
If the threshold is not met, the match count is 0.