I need to create a new custom correlation rule that match the following stream of events but i dont know how to do:
In a specified time period (Ex. 3 minutes) I need to match 2 equal event in sequence but at the same time I need to ceck if another specific event not occur at all.
I tried somthing like this with no luck:
I configured the second filter with the opption "This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level.". The second "AND" insert statement ceck the 2 occurrences that I nedd to verify.
Some one kow how to make this rule correlation works?