I need assistance in creating the below rule using EPL.
The alert needs to be triggered if there are number of deny traffic followed by permit from a particular source to particular destination.
I have tried the RSA live rule which is excessive inbound traffic followed by success. But it is triggering alerts even if the traffic is from a source IP to multiple destinations.
Can any one help?
create a new rule using the connector followed by.
The first statement should be for example
then occurs x times the connector should be "followed by"
action='permit' occurs 1 time