Products | Versions |
---|---|
TIBCO LogLogic Security Event Manager | 2.7.x and higher |
Single alert acknowledgment in rules is not recommended by TIBCO.
TIBCO does not recommend creating rules with a unitary acknowledgment. The best solution is to acknowledge 10,000 alerts instead of one alert only.
The reason is that the number of queries executed with MySQL noticeably lowers the correlation process performance of the SEM.
Example:
You receive 10,000 events in less than 1 hour.
=> for each event you execute one query to acknowledge it.
=> after the first event, the SEM keeps all events in memory as defined in the rule. At the end of the process (timeout or maximum number of alerts), SEM executes only one query to apply the acknowledgment.
Therefore it's much more efficient to acknowledge 10,000 simultaneously than one at a time.