Not in session list rule.
I have a user tracking rule for popuating session list with key field src ip, src user name. Arcsight ESM 5.2 version.
How I can create rule that trigger if the second session started from other src ip?
My rule isn't work:
( Device Action = SUCCESS AND Device Vendor = MyVendor AND Type != Correlation AND Source Address != getAl.User Address AND Source User Name = getAl.User Name AND Source Address Is NOT NULL )