I got several correlation rules like this,

filter(((e.Severity > 2)) AND ((not e.TargetPort inlist
trigger(150,60,discriminator(e.TenantName,e.Observ erIP,e.EventName,e.SourceIP))

and once it fires, it will create a incident automatically.

I'm now fine tuning the rules and want the above rules not firing on a
certain situation such as, when:
sourceip= AND targetip= AND targetport=53, AND NOT
sourceip= AND targetip= AND targetport=80, AND NOT
sourceip= AND targetip= AND targetport= 80, AND

there will be quite a lot, say 1x+ situations. I tried to put these into
a sub-rules but it will be extremely messy when it grows. May I ask for
a best / (at least) manageable practice of achieving this?

Best regards,

jackcheng's Profile: https://forums.netiq.com/member.php?userid=1387
View this thread: https://forums.netiq.com/showthread.php?t=51365