I have been asked to write a correlation rule that does the following:
For a given Source IP, trigger whenever Signature ID=278-725002 occurs AND Signature ID=278-716038 has NOT occurred within the last 48 hours.
Signature ID=278-725002 #Device completed SSL handshake with server/client
Signature ID=278-716038 #WebVPN authentication successful
Is it even possible to correlate on a "within 48 hours"?
Also how would I specify "any" ip?
Solved! Go to Solution.
You can correlated based on events occurrences within a specified time window. Just grab"AND" and under it's options you can specify it.
For "any ip" the syntax is "src/dest ip not in 0.0.0.0"
Also if you grab "Funnel" it has option "does not match"
At the moment i don't have access but on Monday i can try to create the rule for you.