Cross Device Correlation
I have a connector (Akamai) feeding logs to ArcSight. The logs just URL details.
I have another custom device, that has the IP Address on which is the URL is hosted. This device has only IP Address and not the URL details;
I am trying to build a cross device correlation, to detect an attack scenario; when the URL is down, I want an alert so that I can if any other device hosted on the IP is running or not.
Attached is snapshot of my rule. This rule isnt working, please share your inputs.
Thank and Regards,
You can try to achive this with a negation rule
Means if event A occures and event B doesnt occure within X time range than fire rule