hi Suat,
one possible solution for addressing this task is to combine the EventGroup
rule with contexts. Since EventGroup rule allows matching unordered event
groups (e.g., events A, B and C can appear in any order), the purpose of
contexts is to force specific event matching order. The example
Thanks for the answer. I am looking for window based detection, simple it
is going to be something like SIEM log correlation. Within 10 min event A,B
and C must occur and this three event must be in order (first A, then B
last C)
Thanks
Suat Toksoz
On Wed, Aug 5, 2020 at 11:58 PM Risto Vaarandi
