Thanks for the answer. I am looking for window based detection, simple it is going to be something like SIEM log correlation. Within 10 min event A,B and C must occur and this three event must be in order (first A, then B last C)
Thanks Suat Toksoz On Wed, Aug 5, 2020 at 11:58 PM Risto Vaarandi <risto.vaara...@gmail.com> wrote: > hi Suat, > > are you interested in some rule examples about detecting event sequences, > or are you investigating opportunities for creating a new rule type for > matching sequences of events? Many event sequences can be handled by > combining existing rules and contexts, so a new rule type might not be > needed for the task that you have. To clarify the task a little bit, should > the solution apply a sliding window based detection if the entire sequence > has not been observed within 10 minutes, or is it not important and > incomplete sequence after 10 minutes (say, A and B are present but C is > missing) terminates the event correlation scheme? > > kind regards, > risto > > Kontakt Suat Toksöz (<stok...@gmail.com>) kirjutas kuupäeval K, 5. august > 2020 kell 15:52: > >> hi all, >> >> is it possible to have multiple (3,4..) correlation rule on SEC? >> >> For example, If event *A* happens then event *B* happens then event *C* >> happens and all events happen within 10 min. >> >> -- >> >> Best regards, >> >> *Suat Toksoz* >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> > -- Best regards, *Suat Toksoz*
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users