How can I implement this Seperation of Duties scenario
I'm looking at a Use Case where I have a list of administrators in a watchlist, a list of Signature IDs in a watchlist that I use in a filter and I want to detect all cases where in the selected Event the Source User is the same as the Destination User.
This is a basic SoD scenario where detection is an important control.
Is there some way of achieving this? It's the Source=Destination within the Event requirement that I'm having trouble resolving. A generic way of solving this sort of comparison would allow a few interesting scenarios to bve explored such as compare Source Zone and Destination Zone to select traffic either contained within or travelling between defined Zones.