Hi,
I want to create a rule for the following scenario:
1. Event 1 : A file was created under the directory "/root/ " (Comment:
I have implemented this using 'matches' in the rule file)
2. Event 2: If File was created under "/root/" then get all the files
created within a 30 seconds of Event1. (Comment: Confused! Don't know
how to do this!)
The dataset I have is of all the files created on the system + time of
creation.
Thanks in advance!
Rgds,
Kiran