Hi,
I wanted to understand a way where
- We can use relative timestamps inside a rule to generate alerts in respect to the time we have received a certain kind of log.
- Not generate an alert for the logs whose vulnerability has already been fixed (we have received "fixed" logs in the SIEM).
For example - We have a vulnerability scanner which sends logs for every vulnerability found and a log for every vulnerability fixed. I want to make sure that I generate an alert after every 14 days that vulnerability (log was created in the SIEM) is still not fixed. There needs to be a query which removes the vulnerability log which has already been fixed and generate alerts for the rest of them.
Thank you!