Hi,
I have created a correlation rule with the following query, that runs every 5 mins. This is to detect if any external email address sends multiple emails to our internal email within given time (an hour), then it should trigger an alert. Please tell me what is the issue with it.
"
sequence by email.from.address, email.to.address with maxspan=60m
[any where email.direction == "inbound"] with runs=2
"