Skip to main content
Question

Correlation rule from previos rule detections

  • February 27, 2026
  • 0 replies
  • 2 views

TechSecOps

Hi there!

 

 

I´m relatively new with Google SecOps and would be great if I could get some help with something basic I´ve worked before with another SIEM

 

I´ve already have 3 detection Rules for AWS:

AWS_rule_1

AWS_rule_2

AWS_rule_3

 

I´d like to create a new Yara Rule that detects when 2 o more of the previous rules mentioned have correlated with the same principal.id


Ex: AWS_rule_1 and 3 has detections with pricipal.id = “192.168.1.1”
The new AWS_rule_4 (Could be name something like varios detections in AWS with shared IP)  to genereta a new detection

 

It´s something quite simple with another techonlogies I´ve worked with, but I can´t find my way around to achieve it in SecOps

 

Thanks in advance