Hi,
has anybody a correlation with the accumulator field above working. I have a correlation for this field but this correlations doesnt work after i update on 9.5.2.
Sounds pretty specific. If you want to provide more data, someone could try and replicate the situation or you might need to open a ticket.
Hi thank you for your replay. I want to find data exfiltration with our proxy in this case.
We become logs from our proxys with a Field like Bytes from Client and we have a correlation on it like:
Normalisation in (connection/session)
Method in (POST,PUT)
Bytes_from_Client (more than value X)
The correlation works with a fakelog with one Value over x but not with more than one fakelog with a sum over x.. Can anyone rebuild this correlation for me?
Thx for the help.
The correlation works with a fakelog with one Value over x but not with more than one fakelog with a sum over x.. Can anyone rebuild this correlation for me?
Sorry, not sure what you mean by this. It works with one log but not another? Is there a difference between them?
Sure there is a difference. The first log has the value of 50MB and the other example has 5*10Mb per log.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA