9 Replies Latest reply on Sep 2, 2014 5:25 AM by alexander_h

    Date driven correlation rule


      I have been asked to write a correlation rule that does the following:




      For a given Source IP, trigger whenever Signature ID=278-725002 occurs AND Signature ID=278-716038 has NOT occurred within the last 48 hours.

      Signature ID=278-725002                                              #Device completed SSL handshake with server/client

      Signature ID=278-716038                                              #WebVPN authentication successful



      Is it even possible to correlate on a "within 48 hours"?

      Also how would I specify "any" ip?



      Thank You!