I want to create a correlation rule that matches true if it sees two IPs from the same /24 subnet.
If I have two events with the same signature ID, one from IP 10.2.3.4 and IP 10.2.3.5, I want them to match true to trigger an alarm.
I can't see a method to tell siem that I want to match IPs from a same subnet range, and remain as abstract as possible, like x.x.x.x/24
Can anyone tell me how to do this?
Thank you very much
Tricky but the way to do it is to set up a filter for that IP subnet and that click advanced options distinct values 2, source IP addresses.