- Blue, 1500 points or more
I've been doing some testing, trying to develop a detailed understanding of how rules work in CSMARS. I'm getting inconsistent results. Let's assume I have the ability to create the EXACT same event 5 times in CSMARS at 10 second intervals. The only difference in the events is when they are received by CSMARS. The inspection rule is quite simple; look for this event type, count = 1 and time range = 5 minutes.
The events in CSMARS are always part of the same session. However, sometimes I get just 1 incident that fires right way. Other times I get 2 incidents, one that fires right away and another that fires after the 5 minute time range has elapsed. When there are 2 incidents, the time range for each incident is always from a subset of the events in the session. So for example, the first incident's time range might have a time range from the first 3 events and the second incident would have a time range from the last 2 events.
The end result though is that I have a single session that triggered the same rule twice. How is this possible?