Condition is a str, not a list

To be consistent with schema and all the other rules: - `condition` should be a `str` - if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list`
2018-01-28 16:16:00 +03:00
parent 90a8cc9d40
commit 376d0414d8
1 changed files with 1 additions and 3 deletions
@@ -7,9 +7,7 @@ detection:
    selection:
        action: denied
    timeframe: 24h
-    condition:
-        - selection | count(dst_port) by src_ip > 10
-        - selection | count(dst_ip) by src_ip > 10
+    condition: ( selection | count(dst_port) by src_ip > 10 ) or ( selection | count(dst_ip) by src_ip > 10 )
 fields:
    - src_ip
    - dst_ip