So, ideally you'd be able to do this:
(tunnel down) EXISTS
and
(tunnel up) NOT EXISTS
(tunnel down).SourceMachine = (tunnel up).SourceMachine
Response Window: 5 minutes
That would tell you if you got a tunnel down but not a tunnel up from the same source machine (the other end of your tunnel) within 5 minutes (so - your tunnel had been down for 5 minutes). If the tunnel names were in a field, you could use that, too, but it looks like they are buried in ExtraneousInfo.
Looking at the sample, I'm guessing both your "up" and "down" events are IPSecTrafficAudit and the thing that differs between them is the EventInfo that includes "tunnel-up" vs. "tunnel-down". Here's where it gets sticky - there's no way (that we've exposed in the console anyway) to do a NOT EXISTS rule with two of the same event type.
Ideally you'd be able to do:
IPSecTrafficAudit EXISTS and IPSecTrafficAudit NOT EXISTS
IPSecTrafficAudit.SourceMachine = IPSecTrafficAudit.SourceMachine
Response Window: 5 minutes
...but even looking at it, that doesn't really make sense You'd need to be able to distinguish between the two IPSecTrafficAudits which isn't possible right now.
So, enter, the inference rule (or incident) workaround.
Rule 1:
IPSecTrafficAudit.EventInfo = "*tunnel-down*"
(if you need to restrict to only passing on info about certain tunnels, firewalls, or other criteria you could add that here)
Action: Infer Alert (or Incident Alert)
Pick an event to infer - I'd probably go with either NetworkIncident if you want to do Incident, or PointToPointTrafficAudit if you want to do infer - this way you still have similar fields to work from
Make sure to fill out the fields
Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example
PointToPointTrafficAudit EXISTS
IPSecTrafficAudit NOT EXISTS
IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine
IPSecTrafficAudit.EventInfo = "*tunnel-up*"
PointToPointTrafficAudit.EventInfo = "*tunnel-down*"
Response Window: 5 minutes
Action: probably an email notification
All of that means:
- Look for PointToPointTrafficAudit events that contain "tunnel-down" in the EventInfo
- Also, look for IPSecTrafficAudit events that contain "tunnel-up" in the EventInfo
- If you do see both of those things within 5 minutes of each other from the same SourceMachine, we're good!
- If you only see the PointToPointTrafficAudit but do NOT see the IPSecTrafficAudit from the same SourceMachine, then do something (probably an email notification)
If you're concerned about the tunnel going down-up-down within 5 minutes, you might also need to specify that their detection times need to be in sequence and the up event follows the down (e.g. IPSecTrafficAudit.DetectionTime > PointToPointTrafficAudit.DetectionTime) - response windows are sliding windows, so it will look for events that came both before AND after.
I hope that's helpful... I didn't test this in my lab, but this is what I'd build.