I have two different sourcetypes, one is IPS and another is Firewall. The results to be follow below rules.
Aim is to retrieve results if outside IP was blocked in IPS,Is it allowed by Firewall or not?
1) Results should be order in respective time.
I getting results with irrespective of time. Suppose If event was triggered in IPS at 5:30 AM, and firewall at 4:00 pm results are mixing.
2) I used transaction command with certain time limit by source IP.
The results are combining, but I want transaction command for source IP of IPS with the source IP of firewall. I want to eliminate the transaction results with in the same sourcetype. (between iPS logs).
3)How to get results based on first event triggering of External IP in IPS?
Thanks in advance........
↧