Trying to write a correlated rule that can alert me when a user from one location logs into a server at another one of our locations..
Good hosts: server1.0623.domain.com and server2.0623.domain.com
Bad hosts: server1.1821.domains.com or server1.0626.domain.com
So... how can pull the 4 digit number from the user name and compare it to the 4 digit location number in the correlated rule? Do I have to pull this number into a cache variable and then compare it to a regex of the host name?