I want a correlated rules if some event does NOT happen. For example, a
backup job will generate success or failed event; however if the job was
killed, there won't be any alerts!! I want a correlated alert trigger
if no backup events (in this example) received in 24 hrs (indicating
backup was not attempted).

Is there a way to do such a negative lookup in Sentinel 7.1.2?

Any help is appreciated...


pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=51227