I'm having an issue creating a multi-event correlation due to the way that LEM parses certain logs, in this case - logs from a NGFW. All of my IPS logs get parsed and placed into a variety of different event types depending on what they are. This results in about 20 or so different event names that my logs fall into. (This wouldn't be an issue if all my IPS logs fell into an "IPS Event" event name and the signature fell into the event info bucket - but I digress.)
This is problematic when I want to create a correlation along the lines of:
10 or more IPS events from the same source IP within XX minutes.
I know that in the monitor section I can create a filter to group up all these different event names and place them back into an "IPS Events" container. Is this possible to do for correlations? If not, it's very difficult to create an efficient correlation where the source IP needs to be the same across 20 different event names, if that's even possible with LEM in it's current iteration.
Anybody having a similar issue? Thought of any work-arounds?