You can use watchlist to achieve this. First create a watchlist for Source IP and add all the IP's or IP range then create a watchlist for destination IP and add all the IP's or IP range. While creating correlation rule select Not In condition for source IP watchlist, Not In condition for destination IP and Not In condition for event subtype and count and make sure you AND the entire filter condition. Hope this helps. Let me know if you need any more help!
Thanks Vinay. I was thinking if there is any way where we put 10.231.0.0/23 or something like this and entire range gets included but that is not good idea as per security point of view and I dont think its possible in SIEM
First two conditions will be fulfilled by watch list way but the event count option is not present in rule but is there in deviation. (thats strange). Now I have created AND inside the original footprint(by using SET) and put all NOT IN conditions and a deviation on event count of 500. Hope this will serve the purpose.
Any suggestions for improvement ?
You can do it more easy by using an AND condition and modifying the threshold and timewindow for this logical element (e.g. the rule should trigger if the combination of destip and srcip is found more than 500 times in x minutes).