I need a correlation about Check Point Firewall logs. Let me try to
If a sourceIP of a "drop" log appears as the targetIP of an "access" log
in 6 hours, they want the correlation to be fired.
For example, firewall "drop" log with sourceIP( comes, then an
"access" log with targetIP( comes in next 6 hours, the
correlation must be fired.

I think it cannot be solved with a sequence rule. I thought that I could
use "window" structure but couldn't figure out how to solve this one.
Can anyone help me about this?

adilga's Profile: https://forums.netiq.com/member.php?userid=2291
View this thread: https://forums.netiq.com/showthread.php?t=47895