Ok, so I am working through this and I am confused at Rule2
1 Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example2 PointToPointTrafficAudit EXISTS
3 IPSecTrafficAudit NOT EXISTS
4 IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine
5 IPSecTrafficAudit.EventInfo = "*tunnel-up*"
6 PointToPointTrafficAudit.EventInfo = "*tunnel-down*"
7 Response Window: 5 minutes
8 Action: probably an email notification.
On line 2 & 3 I assume you mean the following:
If that is the case how could like 5 be possible if we already required that it not exist? Also, since we are using a IPSecTrafficAudit to infer a PointToPointTrafficAudit then it would be definition exist would it not?
Lastly, I don't see a way to do what you are suggesting in line 4.
Thanks in advance, I really appreciate your help on this!
-Byron