Minimum counts and reset intervals

Some activities are normal and acceptable when they occur less than a certain rate but require attention when the rate exceeds a tolerable threshold.

For example, if interactive database access is allowed, a consistent but relatively low rate of login failures might be expected. However, a sharply higher rate might indicate an attack is in progress.

To deal with thresholds, a minimum count and a reset interval can be specified for each policy rule. For example, this can be used to trigger the rule action after the count of login failures exceeds 100 (the minimum count) within one minute (the reset interval). If omitted, the default is to execute the rule action each time the rule is satisfied.