I have a question regarding correlation rules and it's something I can't find any specific info.
So my question is regarding the Advanced Options - A number of Distinct Values must be observed in the Monitored Fields for this component to trigger values,
As an overview of my correlation rule, it's looking for potential Ransomware emails, looking at inbound email that is categorised as delivered, I have a set of keywords to search in the Subject line, my Distinct Value is set to 2 and the Monitored Fields is Subject.
So what I'm trying to achieve is this: Correlation rule checks: Reason = Email Delivered (in a one minute threshold) that contains two of the keywords in the subject field (e.g A courier has delivered) and then fires, creating an alarm etc, but I'm not entirely sure that's how the distinct values works?
Any thoughts or clarification?