I’d like to know if there is a native way in Security Analytics to define a rule that dynamically compares two fields (e.g. event1.fieldX
and event2.fieldY
) (with compare I mean - for example - equality or inequality, etc.) in separate documents within a time window and triggers an alert if they match.
—Example Use Case—
Goal: Detect the Zerologon exploit by comparing user.name
in one Winlogbeat event to host.name
in another event.
Window: Within 5 minutes of the original event.
- Is there already a native option for this kind of dynamic field comparison?
- If not, is it planned for a future release?
Thanks in advance.