Hi there!
I´m relatively new with Google SecOps and would be great if I could get some help with something basic I´ve worked before with another SIEM
I´ve already have 3 detection Rules for AWS:
AWS_rule_1
AWS_rule_2
AWS_rule_3
I´d like to create a new Yara Rule that detects when 2 o more of the previous rules mentioned have correlated with the same principal.id
Ex: AWS_rule_1 and 3 has detections with pricipal.id = “192.168.1.1”
The new AWS_rule_4 (Could be name something like varios detections in AWS with shared IP) to genereta a new detection
It´s something quite simple with another techonlogies I´ve worked with, but I can´t find my way around to achieve it in SecOps
Thanks in advance