Skip to main content
Question

Correlation rule from previos rule detections

  • February 27, 2026
  • 1 reply
  • 32 views
TechSecOps

Hi there!

 

 

I´m relatively new with Google SecOps and would be great if I could get some help with something basic I´ve worked before with another SIEM

 

I´ve already have 3 detection Rules for AWS:

AWS_rule_1

AWS_rule_2

AWS_rule_3

 

I´d like to create a new Yara Rule that detects when 2 o more of the previous rules mentioned have correlated with the same principal.id


Ex: AWS_rule_1 and 3 has detections with pricipal.id = “192.168.1.1”
The new AWS_rule_4 (Could be name something like varios detections in AWS with shared IP)  to genereta a new detection

 

It´s something quite simple with another techonlogies I´ve worked with, but I can´t find my way around to achieve it in SecOps

 

Thanks in advance

 

 

1 reply

Asura
Forum|alt.badge.img+3
  • Asura
  • February 28, 2026

Hello TechSecOps,

 

Yes it is possible.

 

For that you will have to leverage what IS called "composite détection".

 

It is simply leveraging the "detection" data source which record all detection of your rules.

 

You can then use the X of N recent feature in the condition section to achieve your goal.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.