Can anyone please help me setting up a simple correlation rule using EQL that detect if same source.ip attempts more than 50 destination.ip within 15 minutes.
I'm unable to write EQL.
I've fortigate logs, my correlation rule is like
sequence by source.ip maxspan=15m [network where event.action == "deny"] [network where true]
I know here
by source.ip means same source.ip.
network is value present in the event.category field.
network where true is just because there must have two sequence patterns in brackets . 2nd condition is like event.category network should exists.
How EQL will detect more than 50 destination.ip?