I am having alot of problems finishing an alarm rule to fire when a user uses okta to login from two different countries in a short period of time. I am basing the rule off of this Correlation Rule.
app_name == 'office-365' AND event_name IN('UserLoggedIn', 'MailboxLogin') AND source_country!= '' AND source_username >> [user] ANDsource_country ==> |countries|
And this is what I have currently.
(packet_type == 'log' AND app_name == 'okta' AND event_name in ('Login success') AND source_country != '' AND source_username >> [user] AND source_country == '[var_source_country]')
As you can see I have it all set except for the last operator ==>.
From the documentation I know ==> Checks the value against a list filled with previous events values. Will validate the condition if the element is not already included in the list. Im sure its relatively simple issue but I am having a hell of a time getting it to work. Any help would be greatly appreciated.