Showing results for 
Search instead for 
Did you mean: 

How to match two Destination IPs from same subnet


I want to create a correlation rule that matches true if it sees two IPs from the same /24 subnet.

If I have two events with the same signature ID, one from IP and IP, I want them to match true to trigger an alarm.

I can't see a method to tell siem that I want to match IPs from a same subnet range, and remain as abstract as possible, like x.x.x.x/24

Can anyone tell me how to do this?

Thank you very much

1 Reply
Level 10
Report Inappropriate Content
Message 2 of 2

Re: How to match two Destination IPs from same subnet

Tricky but the way to do it is to set up a filter for that IP subnet and that click advanced options distinct values 2, source IP addresses.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community