I have a situation, I want to create a rule that shows me when a particular event didn't trigger in a perior of time. So for example if i want to watch for the event with signature ID 363-2411, over a period of 2 minutes, i think that the rule must be like this, but it doesn't trigger. For example:
And in the logical operator.
I don't see any event with this rule, why?
You should change your Correlation rule to a Sequence
1. Signature ID in 360-2413
2. Signature ID Not in 360-2412
360-2412 = Deployment failed
360-2413 = Attempt to unistall Mcafee Agent
For this you didn't need the "Not Match" rule