Duplicate pattern

A duplicate rule is defined by the duplicate pattern. It counts the second and subsequent events that are accepted within the specified time interval but skips the rule set processing for these events. It is a stateful rule.

Overview

The duplicate pattern is typically used to isolate similar (duplicate) events over a period of time. A duplicate event is similar in some way to a previous event, but it is not necessarily an exact copy of that event. Events are duplicates simply if they meet the event selection criteria for the rule. The time period is indicated by a mandatory time window, as defined by the <timeWindow> element in the rule language.

Conditions under which the rule response runs

With the duplicate pattern, the rule response runs at the following times:
  • When the first event is detected, as defined by the <onDetection> element.
  • As each duplicate event is processed, as defined by the <onNextEvent> element.
  • When the time window is complete, as defined by the <onTimeWindowComplete> element.

The first event triggers the <onDetection> action even though no duplicate events have been received. The reason for this behavior is that you might want to forward the first event and skip the rule set processing for duplicate events. In this case, you can add a rule response action that forwards the first event when the <onDetection> action is triggered for the rule.

The default processing for duplicate events (the second and subsequent events) is to count a duplicate event but skip the rule set processing for a duplicate event. If you want to take additional action on a duplicate event, you can explicitly define an <onNextEvent> action. For example, in certain cases, the duplicate event represents an event that might already be logged in a database or other repository. Therefore, you might want to code an <onNextEvent> action to remove the duplicate event from these other locations.

An <onTimeWindowComplete> action can be used to create a summary record for all duplicate events that includes the number of duplicates that were processed.

Example usage of this rule pattern

Assume that a "Denial of service" message continues to occur from the same resource type (a security monitor). This indicates a possible security breach. An example usage of the duplicate pattern is a rule that does the following:
After a "Denial of service" message occurs from the security monitor, any duplicates of that event that occur during a 30-second time period are counted but are not sent to the operator console. Also, at the end of the 30-second time period, the rule generates an event that indicates the number of "Denial of service" messages that have occurred over the time period.
Related reference
Duplicate rule summary