Hello is it possible to create and link rules togother for example rule2 will take action it rule 1 is true below is an example of what i want to create in elastalert
Detects a user account that has been created, then added to an administrative group , after that the account disables or removes other accounts on the same server within one Hour.
Rule Logic in different platfor,
@RSAAlert(oneInSeconds=0)
SELECT * FROM pattern [
//user created source user was created by destination user
EVERY (a = Event (
device_class = 'Windows Hosts' , reference_id IN ('624','4720'), user_src IS NOT NULL
)
->
//the user has been added into a group
b = Event(
device_class = 'Windows Hosts' ,
reference_id IN ('4728' ,'636' ,'4732' ,'660' ,'4756') , //the user has been added into a group
b.user_dst= a.user_dst
)
->
// same user was deleted or the new user deleted other users
c = Event(
device_class = 'Windows Hosts', reference_id IN ('630', '4726') , (
c.user_src = a.user_src
OR
c.user_dst=a.user_src
)
)
) where timer:within(60 minutes)
Hello is it possible to create and link rules togother for example rule2 will take action it rule 1 is true below is an example of what i want to create in elastalert
Detects a user account that has been created, then added to an administrative group , after that the account disables or removes other accounts on the same server within one Hour. Rule Logic in different platfor,