Kyle Howson

Incident Management Advanced Rule Builder

Discussion created by Kyle Howson on Nov 16, 2016

Hello,

 

I'm trying to figure out how to write a more complex rule that does the following:

 

   - Create Incident if system has an IOC group by IP address during a 24 hour time period.

         - If an alert exists from the same IP address for a Malware alert add to incident

         - If an alert exists from the same IP address for an IPS rule flagged add to incident

 

I thought I had this but it never seems to add the additional alerts for the same IP address..... 

 

I am thinking in order to the logical AND/OR I might need to do the advanced query builder but there are no good tutorials on it. 

 

Let me know if someone has an example query I can use as a template or possibly how they accomplished this in another way.

Outcomes