ALERT 1: raising the alert when more than 4 systems got affected with the same virus OR worm signature WITHIN 20 MINS and bringing the output contains only one field WHICH IS IP ADDRESS of the infected machines.
QUERY for alert 1:
Risk_Name!="JS.Downloader" Source!="Scheduled Scan" (Category_type="*Virus" OR Category_type="Security Risk")
| bucket span=20min _time as bucket_time| eval Bucket_Time=strftime(bucket_time,"%m/%d/%y %H:%M:%S")
| stats dc(dest_ip) as Count values(dest_ip) as Infected_machns by Risk_Name Bucket_Time category| where Count > 4| table Infected_machns
ALERT 2: raising the alert when any type of traffic detected from the above "Infected_machns" to any machines within a 20 minute period.
QUERY FOR ALERT2:
index=sepm sourcetype=symantec:ep:traffic:file Action=Allowed | stats dc(dest_ip) as Count2 by Infected_machns | where Count2 > 3
How can I combine both these alerts in a single search?