In Sentinel, I found some situations that are considered as

1. When I click on the "View trigger" of a correlated event that
happened some days ago, it supposed to show all the related events in
new tab. However, it showed all events instead of related events. I
found that it may be caused by the "search duration" which was not
modified based on the correlated event. If I modified the duration
correctly, the correct result could be shown.

2. I added the correlated event to an incident through the search tab,
so I could see it in "Associated Events" in the
"Incident view". When I tried "View Trigger Events" in the incident
menu, same problem occurred as in point 1 above.

3. Refer to point 2, when I click the "View Trigger Events", it jumped
to the browser and flashed an error screen as below.

"Error searching events. Exception: (TypeError) stack:

Then it reloaded quickly to the point 2 screen as described above.

4. Also, how can I write a correlation rules that check if the source IP
is in a specific range? I can only create a dynamic list of IP address
and TYPE-IN all one-by-one, and no way to import it.

jackcheng's Profile:
View this thread: