Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30
Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.
Works! Many thanks
Thank for your help. Just to be sure :
if you want to group 1 signature id (for example kerberos pre authentication failed) and 1 criteria on event count (more than 20) ,
you have to :
1) in Correlation rule, add an ADD operator; then add the signature ID filter of our rule and Severity filter > x ?
2) Click on edit on the AND operator and select the threshold we want ?
3) Name our correlation rule and ..chosse which normalization ? (undefined could be ok ?)
4) Then save and copy the Signature ID xxx of the correlation that we've created
5) create an alarm on the signature ID xxx with Internal Event condition ?
Thank you in advance,