9 Replies Latest reply on Sep 2, 2014 5:25 AM by alexander_h

    Date driven correlation rule

    pfabrizi

      I have been asked to write a correlation rule that does the following:

       

       

       

      For a given Source IP, trigger whenever Signature ID=278-725002 occurs AND Signature ID=278-716038 has NOT occurred within the last 48 hours.


      Signature ID=278-725002                                              #Device completed SSL handshake with server/client

      Signature ID=278-716038                                              #WebVPN authentication successful

       

       

      Is it even possible to correlate on a "within 48 hours"?

      Also how would I specify "any" ip?

       

       

      Thank You!