I'm going to create some correlation rules for continuous activities.
Here are some examples:

- 60 icmp received within 1 minute, delay for 28 minutes, then 60 icmp
received within 1 minute
- 60 counts within 3 minutes, delay for 25 minutes, then 30 count within
2 minutes.

Could anyone advice if it's possible to achieve this, and how?

Thanks and regards,

ms16424's Profile: https://forums.netiq.com/member.php?userid=6109
View this thread: https://forums.netiq.com/showthread.php?t=51998