I am trying to write a correlation rule that fires when same user
(InitiatorUserID) accesses to internet from two or more different
computers (SourceIP).

The rule I defined is as follows:

window((w.SourceIP != e.SourceIP),filter((e.EventName = "GET")), 120)
flow trigger(2,120,discriminator(e.InitiatorUserID))

But it fires always, i.e. when it fires the SourceIP's of the two events
are same.

What am I doing wrong?


hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46481