Greetings: Certain rules like 31162 (multiple web server 500 errors) on a single agent server may be the result of a web developer / designer running tests, etc.
However, if this rule were kicked off from the same source IP from two or more agents, it is probably an attack / worm. Is there a way to tie the results of agents together for frequency and timeframe checks? Thank you.
