3 Replies Latest reply on Mar 6, 2017 4:40 PM by akerr

    How to chose one matching parameter for 2 Events on a correlation

    schrmat

      Hey,

       

      I want to build a correlation with the following logic:

       

      If ((Signature ID = 367-1284 and Source IP = x.x.x.x/16) and (Signature ID = 43-263046240 and Source IP = y.y.y.y/24)) from same Host within 24h then Alarm.

       

      So i built in the correlation a "logical AND" where 2 filters are within.

      The first filter says: Signature ID = 367-1284 and Source IP = x.x.x.x/16

      The second filter says: Signature ID = 43-263046240 and Source IP = y.y.y.y/24 (is it possible to work with IP ranges?)

      In the "logical AND" i have set the "time window" to 24 hours.

       

      It should only trigger if both events/filters have the same host.

       

      Where do I have to set this parameter?

      I set the "Group By" to "Host" but I am not really sure if it works.

       

      It is not so easy to trigger these events.

       

      Do you have an answer for me?

       

       

      Best regards,

       

      Mathias Schröder