MAR searches

NetworkFlow process, process_id where NetworkFlow src_ip contains 10.250.45.0/24
and NetworkFlow dst_ip equals 10.0.0.2

CurrentFlow process_id where CurrentFlow local_ip contains 10.250.45.0/24 and
CurrentFlow remote_ip equals 10.0.0.2

https://git.io/v5nB6

trigger "Network src_ip contains 10.10.0.255/24 and Network dst_ip equals 10.10.0.255/24 and Network dst_port equals 10001"