In correlation rules, Sentinel don't have an option for "Not in (text)"
so the only other option is Regex. Is there a way to do a negative
Regex? i.e. trigger correlation rule if the message does NOT contain

Also, I wanted add a sub rule but compare values between sub-rules.
Like if a new user account was created and used within say 10 min, I
need a rule where target username=initiatorusername from the sub rule.

Is there a way to do it?


pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=52973