Table 4-3 Event Property Tests (continued)
Test
Description
Credibility
Valid when the event
credibility is greater than,
less than, or equal to the
configured value. The
default is 5.
Relevance
Valid when the event
relevance is greater than,
less than, or equal to the
configured value. The
default is 5.
Source
Valid when the source IP
Location
address of the event is
either local or remote.
Destination
Valid when the destination
Location
IP address of the event is
either local or remote.
Geographic
Valid when the source of
this event is located in the
configured geographic
region.
Rate Analysis
STRM Log Management
monitors event rates of all
source IP addresses/QIDs
and destination IP
addresses/QIDs and marks
events that exhibit abnormal
rate behavior.
Valid when the event has
been marked for rate
analysis.
Default Test Name
when the event credibility
is greater than 5
{default}
when the event relevance
is greater than 5
{default}
when the source is local
or remote {default:
remote}
when the destination is
local or remote {default:
remote}
when the attacker is
located in this
geographic location
when the event has been
marked with rate analysis
STRM Log Management Users Guide
Creating a Rule
Parameters
Configure the following parameters:
greater than - Specify whether the
•
credibility is greater than, less than,
or equal to the configured value.
this value - Specify the index,
•
which is a value from 0 to 10.
Configure the following parameters:
greater than - Specify whether the
•
relevance is greater than, less than,
or equal to the configured value.
this value - Specify the index,
•
which is a value from 0 to 10.
local or remote - Specify either local
or remote traffic.
local or remote - Specify either local
or remote traffic.
this geographic location - Specify
the geographic regions you wish this
test to consider.
49