3 Replies Latest reply on Mar 6, 2017 4:40 PM by akerr

    How to chose one matching parameter for 2 Events on a correlation




      I want to build a correlation with the following logic:


      If ((Signature ID = 367-1284 and Source IP = x.x.x.x/16) and (Signature ID = 43-263046240 and Source IP = y.y.y.y/24)) from same Host within 24h then Alarm.


      So i built in the correlation a "logical AND" where 2 filters are within.

      The first filter says: Signature ID = 367-1284 and Source IP = x.x.x.x/16

      The second filter says: Signature ID = 43-263046240 and Source IP = y.y.y.y/24 (is it possible to work with IP ranges?)

      In the "logical AND" i have set the "time window" to 24 hours.


      It should only trigger if both events/filters have the same host.


      Where do I have to set this parameter?

      I set the "Group By" to "Host" but I am not really sure if it works.


      It is not so easy to trigger these events.


      Do you have an answer for me?



      Best regards,


      Mathias Schröder