I'm interested in developing an anomaly detection rule in Chronicle. This rule should monitor for a particular event across multiple users over a set period. If any user, who hasn't triggered this event within that period, does so afterward, we want to be alerted. Does Chronicle support this type of time-based, user-specific event monitoring and alerting?"

I've tried utilizing the match section, but it doesn't seem to do whats needed.