I've been trying to take some the the filters I've created in LEM and are now looking to use the same logic and us it as a rule. My filter is as follows:
( "Event Name" = PolicyAccess ) AND ( ( "Event Name" = PolicyAccess ) AND ( SourceAccount = username" ) ) AND ( ( "Event Name" = PolicyAccess ) AND ( EventInfo = "\"username\" running \"CLI\" executed a command that modified the configuration" ) )
This returns results that I would like to use to build a rule against. However, when I go into the rule builder, I can't seem to translate the filter into a rule with all the AND statements/blocks. Under Correlations, I see the same AND arrow on the right side of the block, but I cannot add an item next to it to create the AND condition (I hope I'm explaining this correctly). How do I chain correlation items together to create the rule?