1 of 1 people found this helpful
1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?
One is enough.
Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?
If you keep the 3 correlation rules they will all fire if 7 failed logon attempts occur.
2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled
No, but you need sequence for the 2nd correlation rule.
I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.
Threshold is the number of events and Time Window is just what it's name is :-)
Those the sequence have to be used only when there is more then one match component inside gate?
If you have a single component there's no justification to use sequence.
Also, you might be interested in creating the first correlation as a component and the second as a rule if you're not interested in firing on 7 failed attempts as well.
Many thanks for your support that help me a lot. Currently I am testing some CRL and getting different results. I will try to troubleshoot and fix it.
If I will get stuck I will definitely back hear