Dear SIEM Group,

I am trying to set up event correlation in Siemplify (version 5.2.3) to detect possible unauthorised access attempts on a critical server. In particular I would like to identify the following scenarios:

User A (username: John Doe, employee ID: 12345) logs into the corporate network via VPN from an unknown or high-risk location.
Within 15 minutes after this login, User A establishes an RDP connection to the critical server (server name: "Prod-Database").
Immediately after the RDP connection, User A tries to modify sensitive files or configurations on the server, triggering the "Unauthorised_Modification" event.
To achieve this I am considering creating correlation rules based on the following:

Event sources:
"VPN_Login" for User A's VPN activity, including location information.
"RDP_Connection" for User A's connection to the critical server.
"Unauthorised_Modification" for suspicious file/configuration changes.
Criteria:
User A's identity and login time.
Time difference between VPN login and RDP connection (within 15 minutes).
Specific files or configurations accessed during the "Unauthorised_Modification" event.
However, I am not sure of the following:

Are there additional event sources or criteria I should consider?
What specific conditions should be used in the correlation rules to ensure accuracy and avoid false positives?
Are there best practices for creating similar correlation scenarios in Siemplify?
I would appreciate any insights or advice to help me structure this correlation rule effectively.

Thank you,