Hi @NerdSec, thanks for the post. The answer is Yes, we do plan to support detection rules that can use Elasticsearch aggregations. We'll likely start with just some simple threshold-based capability, as future rule types will provide more advanced correlation capabilities.
There is a GitHub issue that covers the general idea here: https://github.com/elastic/kibana/issues/68409
Your example is a good one to help us make sure that the new rule capability meets the needs of SIEM users.
Question please: If you had this capability in the Elastic SIEM app, what are a few more simple rules that you think users might want to create?
Thanks again!