Symantec 10521146 Administration Guide - Page 213
Tuning incident parameters, Setting Incident Idle Time
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 213 highlights
Monitoring 213 Tuning incident parameters Tuning incident parameters Incident parameters define how Symantec Network Security handles incidents and events over time. Note: SuperUsers can configure incident parameters for a cluster or single node. See "User groups reference" on page 319 for more about permissions. This section describes the following incident parameters: ■ Setting Incident Idle Time ■ Setting Maximum Incidents ■ Setting Maximum Active Incident Life ■ Setting Incident Unique IP Limit ■ Setting Event Correlation 'Name' Weight ■ Event Correlation 'Source IP' Weight ■ Event Correlation 'Destination IP' Weight ■ Event Correlation 'Source Port' Weight ■ Event Correlation 'Destination Port' Weight Setting Incident Idle Time Incidents are considered idle and are closed when no new events have been added for a given amount of time. SuperUsers and Administrators can define the period of time that an incident remains idle before Symantec Network Security discontinues monitoring it, by editing the incident idle time parameter. By default, the value for this parameter is set to 10 minutes. Incident Idle Time refines the correlation process by determining how long an inactive incident remains idle before it is retired. An incident that remains unchanged past the idle time is retired, no longer actively monitored, and events are no longer correlated into it. The default value is 10 minutes. Decreasing this value shortens the idle time for each incident, and reduces the chance that attacks will be correlated together. Increasing this value increases the chance that attacks will be correlated together, which impacts correlation performance. To edit the incident idle time parameter 1 In the Network Security console, click Configuration > Node > Network Security Parameters.