Event Tracking Tables (ETTs) are data buffers that store combinations of attributes. They track traffic properties in order to enable behavior-based correlation.
ETTs track pairs of attributes of communication events across multiple traffic flows. A communication event consists of a combination of one primary attribute and several secondary attributes. Rules enter these events in the event tracking tables.
Every entry in an ETT has an individual timeout. Therefore, changes can be tracked over time and the entries can be automatically removed once the timeout has elapsed. Rules can query the tables to check if certain attributes are present or count the number of attributes. Based on whether the evaluation condition is met, further rules are applied to the flow.
See Setting Up Event Tracking Tables (ETT) for an example.