How would you create a correlation rule which alerts on events that should have had a preceding event, I mean a user is accessing some resources (event1) without having a login event (event0) received before.
I have not tried this but i hope this should work
create a statement filter and specify the threshold as "consider if no events come within x seconds", specify the event0 you are looking for.
After this create a new statement filter
specify the event1 here.
Then in the Add/Modify Circuit Definition window specify the operator b/w statement1 and statement2 as "followed by".
Sounds good to me will try this afternoon and let you know if it works.
Retrieving data ...