Is it possible to have a rule wait?
Let's say we have two differents received by ESM in the following order:
We need to fire on event 1 if we do not see event 2 within the next minute or so. Is there are way to accomplish this? Thank you for your thoughts
That is indeed the drawback of that option. Most likely you need to create a procedure for your analysts on how to find the base event that triggert the rule initially. I have hit that wall as well and I have not found a way to go around this. To be honest I find it a bug as with the other options it is adding the base event to the correlated event.
I believe this because you need "Cumulative Rule Chain" set to "On".
If you click on and activate the "On Time Window Expiration [Active]" in your actions tab, it should show the Cumulative Rule Chain option.