I tried to exclude(And NOT) if source and destination IP are the same, but I could not find the option for this in Rule Wizard.
How I can add this condition, anyone please help get this resolved.
You can use AQL query and Call it in the rule
I tried using the below query and it works in search, but getting different error when I tried to add in rule wizard.
SELECT sourceip, destinationip FROM events WHERE sourceIP
!= destinationip GROUP BY sourceIP
"You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again. "
Any idea how to resolve it.