I need assistance in creating the below rule using EPL.
The alert needs to be triggered if there are number of deny traffic followed by permit from a particular source to particular destination.
I have tried the RSA live rule which is excessive inbound traffic followed by success. But it is triggering alerts even if the traffic is from a source IP to multiple destinations.
Can any one help?