I'm trying to figure out how to write a more complex rule that does the following:
- Create Incident if system has an IOC group by IP address during a 24 hour time period.
- If an alert exists from the same IP address for a Malware alert add to incident
- If an alert exists from the same IP address for an IPS rule flagged add to incident
I thought I had this but it never seems to add the additional alerts for the same IP address.....
I am thinking in order to the logical AND/OR I might need to do the advanced query builder but there are no good tutorials on it.
Let me know if someone has an example query I can use as a template or possibly how they accomplished this in another way.