Tuning incident parameters
Setting Incident Idle Time
Incident parameters define how Symantec Network Security handles incidents
and events over time.
Note: SuperUsers can configure incident parameters for a cluster or single node.
See
"User groups reference"
This section describes the following incident parameters:
Setting Incident Idle Time
■
Setting Maximum Incidents
■
Setting Maximum Active Incident Life
■
Setting Incident Unique IP Limit
■
Setting Event Correlation 'Name' Weight
■
Event Correlation 'Source IP' Weight
■
Event Correlation 'Destination IP' Weight
■
Event Correlation 'Source Port' Weight
■
Event Correlation 'Destination Port' Weight
■
Incidents are considered idle and are closed when no new events have been
added for a given amount of time. SuperUsers and Administrators can define the
period of time that an incident remains idle before Symantec Network Security
discontinues monitoring it, by editing the incident idle time parameter. By
default, the value for this parameter is set to 10 minutes.
Incident Idle Time refines the correlation process by determining how long an
inactive incident remains idle before it is retired. An incident that remains
unchanged past the idle time is retired, no longer actively monitored, and events
are no longer correlated into it.
The default value is 10 minutes. Decreasing this value shortens the idle time for
each incident, and reduces the chance that attacks will be correlated together.
Increasing this value increases the chance that attacks will be correlated
together, which impacts correlation performance.
To edit the incident idle time parameter
1
In the Network Security console, click Configuration > Node > Network
Security Parameters.
on page 319 for more about permissions.
Monitoring
Tuning incident parameters
213