I have this problem that I cant figure out:
Once a day a MSSQL database is queried for events. These events describe logins to a particular IS. I want to create a rule that checks if somebody logged in more than once with the same user in a 2 second time window.
The problem is that when events are stored in ArcSight all events trigger the rule, because they are inserted at the same time. I need something that does:
event1.USERID=event2.USERID AND event1.deviceReceiptTime is <= event2.deviceReceiptTime + 2seconds
I'm now trying to use match time functionality in my test lab.
Tips would be greatly appreciated.