can anyone help me with below scenario.
i have a use case in which we need to correlate multiple failed login attempts (10 in 10) with IPS event grouped by destination IP ( both events should have same destination IP). may be we can put them in sequence ... but not sure how i can acheive this .
Group By: Destination IP
The above should only trigger if there are 10 Failed Login Events with IPS Events within a 10 Minute window, and the Group By setting will make sure those events only meet the criteria if the Failed Login and IPS events share the same Destination IP. Hopefully this works as desired and helps.