I have the following scenario: I have to find events with certain specifications in the last 15 minutes, and the search result have to be compared (in the same rule) with the result of another search, which looks for exact same event but in the last 7 days. I have to see if the event found in the last 15 minutes, has happen in the past,how many times and if never happened, trigger an alert. How can I add to different search time in the same rule?
↧