Thanks Thobiyas.
I tried using the below query and it works in search, but getting different error when I tried to add in rule wizard.
SELECT sourceip, destinationip FROM events WHERE sourceIP
!= destinationip GROUP BY sourceIP
Error:
"You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again. "
Any idea how to resolve it.
Thanks
Arunkumar
#QRadar#Support#SupportMigration