Different functions can be used when creating a new alarm rule. Correlation rules can be created with column matching or the created Lists can be used.
Let's create a correlation rule;
First of all, you should open Alert Rules category from Settings -> Incidents and Alerts and click +Alert Rule from the right side.
In the definition tab in the alert wizard that opens, you can determine the name of the alarm and respectively the category,severity and tags.
You can select any column in the rule set tab and use different functions like is, is not, range, values, behavior etc.
In this example, you choose the ip address and using the “is not” function, you excluded the 18.104.22.168 ip in the rule you created.
This was your first condition in the correlation. It can be continued by adding different conditions. Each condition is separated by an "and" operator.
In the following conditions, you stated that the same source ip should be in the "Brute Force Attacker Host" list before and that the same IP address should be in the "Port Scanner Hosts" list. (These lists include different conditions)
Together with the behavior parameter, you could also say if this ip address enters any of the “Port Scanner Host” OR “Brute Force Attacker” Host lists.
Silence Time: Determine alert silence time.
Silence Columns: Determine alert silence column.
Mute: Determine alarm mute time as hour(s).
Run: Determine alarm run time.
*Silence: That mean if same alert rule triggered more than one and it has a same column and you want don't trigger it more than one, you can stop create alert rule for how many seconds you want.
Action Column: Determine action column for this alert rule.
Add to Feed List: Can be add action column value to feed list for firewall external feeds.
Overwrite Alert Info: Can be change alert name as selected column value.
Email: Select e-mail address(es) for notification (Should be configure SMTP.)
SMS: Select GSM for notification (Should be configure SMS sending.)
Security Automation: Can be send action column value to Firewalls for block(Should be configure security automation.)
Mitre: Can be select Mitre Rule(s) for this alert rule.
Soar Connector: Can be send this alert to SOAR as an incident.
Co Managed: Select incedent type (collect, create ticket, case etc.).