Hi Risto
Thanks a lot for detailed explanation!
You are correct about aggregation and your suggestion clarified all the
queries. (|) was a typo. I'll run the tests as suggested and also will
check on cspawn and udpsock. Thanks again for promising sec🙂
Regards,
Santhosh S
On Mon, May 13, 2019, 2
hi Santhosh,
since you are using SingleWithSuppress rule for aggregation, is my
understanding correct that the term "aggregation" means generating a syslog
message on the first matching event, suppressing the following matching
events during 300 seconds? If so, you don't need the PairWithWindow ru
Hi Risto
Greetings..!!
I would like to get your suggestions on event correlation upon aggregation.
Below rule aggregate events with whitelisting criteria.
---
type=Single
ptype=RegExp
pattern=(?:SEC_STARTUP|SEC_REST