I want to create a correlation rule that matches true if it sees two IPs from the same /24 subnet.
If I have two events with the same signature ID, one from IP 10.2.3.4 and IP 10.2.3.5, I want them to match true to trigger an alarm.
I can't see a method to tell siem that I want to match IPs from a same subnet range, and remain as abstract as possible, like x.x.x.x/24
Can anyone tell me how to do this?
Thank you very much
Tricky but the way to do it is to set up a filter for that IP subnet and that click advanced options distinct values 2, source IP addresses.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center