Found the answer in one of the built-in rules:
Apply Device Stopped Sending Events (Firewall, IPS, VPN or Switch) on events which are detected by the Local system
and when none of BB:DeviceDefinition: FW / Router / Switch, BB:DeviceDefinition: IDS / IPS, BB:DeviceDefinition: VPN match in 30 minutes after BB:DeviceDefinition: FW / Router / Switch, BB:DeviceDefinition: IDS / IPS, BB:DeviceDefinition: VPN match with the same Log Source
------------------------------
Simon S.
------------------------------
Original Message:
Sent: Thu February 23, 2023 09:55 AM
From: Simon S.
Subject: Log Sources stopped rule with sequence test
Hello,
there was a blog post/tech note/discussion/comment somewhere on how to build a rule based on Building Blocks and the test when these rules match at least this many times in this many minutes after any of these rules match with the same event properties, so without the when the event(s) have not been detected by one or more of these log sources for this many seconds test and without a Reference Set.
Does anyone have the link or know how to construct such a rule?
Best regards
Simon