hi Suat,
one possible solution for addressing this task is to combine the EventGroup
rule with contexts. Since EventGroup rule allows matching unordered event
groups (e.g., events A, B and C can appear in any order), the purpose of
contexts is to force specific event matching order. The example
Thanks for the answer. I am looking for window based detection, simple it
is going to be something like SIEM log correlation. Within 10 min event A,B
and C must occur and this three event must be in order (first A, then B
last C)
Thanks
Suat Toksoz
On Wed, Aug 5, 2020 at 11:58 PM Risto Vaarandi
hi Suat,
are you interested in some rule examples about detecting event sequences,
or are you investigating opportunities for creating a new rule type for
matching sequences of events? Many event sequences can be handled by
combining existing rules and contexts, so a new rule type might not be
hi all,
is it possible to have multiple (3,4..) correlation rule on SEC?
For example, If event *A* happens then event *B* happens then event *C*
happens and all events happen within 10 min.
--
Best regards,
*Suat Toksoz*
___
Simple-evcorr-users
