Topic
  • No replies
vg_
vg_
2 Posts

Pinned topic Rules for many events with distinct properties

‏2016-08-01T18:43:45Z | distinct properties rule

Hello. I have a rule with the following condition:

 

when at least 5 events are seen with the same Source Network and different Source IP in 1 hour(s)

 

This rule matched for 5 events where 4 of them had the same source IP and one of them had a different one, this behaviour is different from what I expected. What I actually need is a condition that is true only when all of the 5 events have different source IPs.

Can anyone tell me what condition I should use?