Advance logic alter rules (if "A" happens look for "B"

When creating an alert rule is it possible to add some more advanced logic or additional criteria if the first query is triggered?

For example,

  • I have authentication logs from our Idp
  • I have an alert rule set for potential password compromise based on a few conditions (unknown device, successful password, fail MFA)

To help reduce the number of false positive alerts I would like to add something like "if" statements.,

For example,

  • if the rule is triggered (based on the above conditions) check the last 60-day login history for that user and IP address...
  • if they have high percentage of success (MFA too) then it is not an alert
  • if there is no history of success from that IP and username then create an alert
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.