Hi there,

I’m trying to incorporate user behavior patterns (UEBA techniques) into SecOps rules. For example, let’s say I want to create a rule that triggers an alert whenever a user clears Windows event logs. I only want that to trigger an alert if the user has not previously ran similar commands in the last 30-90 days. If they haven’t ran those commands previously, then that is considered ‘anomalous’ and an alert will be triggered. I took a look at using metrics but only certain functions are supported.

Is this possible? I figured with playbooks in SOAR it is, but was hoping to accomplish this within the rule itself.

Thanks!