Working with Joins Rule + Negate
Need help to verify is the following Rules logic correct.
What I expected the rules to do:
IF a source IP address matches the entry in Active List, AND within the next two minutes, NO event with DeviceCustomString3=SYN Timeout related to the same source IP address and port, trigger the rule's action.
Below is the scenario I wish the rules would ignore: