Hi,

I got several correlation rules like this,


filter(((e.Severity > 2)) AND ((not e.TargetPort inlist
Ports)))flow
trigger(150,60,discriminator(e.TenantName,e.Observ erIP,e.EventName,e.SourceIP))

and once it fires, it will create a incident automatically.

I'm now fine tuning the rules and want the above rules not firing on a
certain situation such as, when:
sourceip=192.168.10.10 AND targetip=8.8.8.8 AND targetport=53, AND NOT
sourceip=172.16.4.5 AND targetip=8.8.4.4 AND targetport=80, AND NOT
sourceip=175.45.17.99 AND targetip= 10.10.25.120 AND targetport= 80, AND
NOT
....
....
....

there will be quite a lot, say 1x+ situations. I tried to put these into
a sub-rules but it will be extremely messy when it grows. May I ask for
a best / (at least) manageable practice of achieving this?

Best regards,
Jack


--
jackcheng
------------------------------------------------------------------------
jackcheng's Profile: https://forums.netiq.com/member.php?userid=1387
View this thread: https://forums.netiq.com/showthread.php?t=51365