The rule groups events by Reporting IP, Reporting Device, and User. Let's analyze the five events:
Events Received:
1. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John
2. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig
3. Reporting IP: 1.1.1.2, Reporting Device: Server109, User: Mary
4. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig (Duplicate of #2)
5. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John (Duplicate of #1)
Grouping Based on:
● Reporting IP
● Reporting Device
● User
Count unique groups:
1. (1.1.1.1, Server101, John) → 2 occurrences (counted as one group)
2. (1.1.1.1, Server101, Craig) → 2 occurrences (counted as one group)
3. (1.1.1.2, Server109, Mary) → 1 occurrence (counted as one group)
Since we need at least one matching event (count >= 1) per group, incidents are created for each unique group.
Total unique groups (incidents created) = 2
● John on Server101 (1.1.1.1)
● Craig on Server101 (1.1.1.1)
Submit