Right. So if you click the tiny square icon to the right of where it says "30 Events within 10 seconds" in the Correlation Time container, you'll see the definition for which events apply. In 5.5, they are as specified above: "10 TCPTrafficAudit events occurring within 10 seconds where the Source Machine is the same and the Destination Machine is the same". I haven't applied 5.6 yet, so I don't know if any changes have been made. Let me know what you see in 5.6 and we'll go from there.
↧