I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815" but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts. Or I have seen a field named dvc_priority, can we set the alerts only for high or critical? Help me with the query please.
... View more