Article Number
000039567
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2.0
Platform: CentOS
O/S Version: 6
Issue
When you look at "# EVENTS" column in RESPOND > Alerts, it shows up to 100 counts as shown below.
Image descriptionHere is an example via the "Web Dos Alerts" ESA rule.
Refer to the following screenshot of ESA syntax.
Image descriptionCase 1) If HAVING COUNT(ip_dst) >= 150 inside ESA rule syntax, "# Event" column shows 100 based on first screenshot.
Case 2) If HAVING COUNT(ip_dst) <= 100 inside ESA rule syntax, "# Event" column changed to 40 based on first screenshot.
Resolution
Events counts in the Respond > Alerts always show 100 because the default value of 'max-constituent-events' for the ESA rule is set to 100 for better performance.
Due to this reason, only 100 events are shown in UI.
You can increase this value with the following steps.
- Go to Admin->Services->ESA->Explore->correlation->rule
- Under the field, 'max-constituent-events' changes the value from 100 to 200 as per your requirement.
With this change, you are able to see all the 150 Events in Respond > Alerts page in this case.