Hi David,
we had a very similar problem. Our approach was to write two rules that each wrote something to a reference table when the event occurred. And then subsequently we alerted when both entries were present in the reference table.
Reference tables are always a possibility if you want to "remember" something. Unfortunately, they do not react completely in real time.
Perhaps this will help?
Many greetings
Oliver
------------------------------
Kind regards
Oliver
------------------------------
Original Message:
Sent: Mon December 20, 2021 06:44 AM
From: DAVID SANZ POZAS
Subject: Correlate two events from two differents log sources with the same log Start Time
Hi community,
I have a problem making a offense and I would like to know if you can give me any advice. I try to correlate two events from two log sources, both events have the same start time, therefore the rule doesnt work because the second event would have to come after the first. any idea? Can a delay be added manually to a log source?
Thanks!
David
------------------------------
DAVID SANZ POZAS
------------------------------