Following on from the release of 7.7.0 and the new "Alerting and Actions" feature, I'm wondering what the best method of alerting based on correlated events would be.
Loking to implement Alerting using the stack as a SIEM and require events to be correlated and alerts triggered on a match. I can't see an easy way of implementing said correlation.
As a very basic example, it would be good to understand how event correlation would work in the following scenario:
- 5 login failures for user account on server from IP address 220.127.116.11 then,
- A successful login from same user account on server from IP address 18.104.22.168