Hello. I have a rule with the following condition:
when at least 5 events are seen with the same Source Network and different Source IP in 1 hour(s)
This rule matched for 5 events where 4 of them had the same source IP and one of them had a different one, this behaviour is different from what I expected. What I actually need is a condition that is true only when all of the 5 events have different source IPs.
Can anyone tell me what condition I should use?