When creating an alert rule is it possible to add some more advanced logic or additional criteria if the first query is triggered?
For example,
- I have authentication logs from our Idp
- I have an alert rule set for potential password compromise based on a few conditions (unknown device, successful password, fail MFA)
To help reduce the number of false positive alerts I would like to add something like "if" statements.,
For example,
- if the rule is triggered (based on the above conditions) check the last 60-day login history for that user and IP address...
- if they have high percentage of success (MFA too) then it is not an alert
- if there is no history of success from that IP and username then create an alert