Can someone please help to create a detection rule based on logic mentioned below.
All unique mac.address field name with common.role:rogue should be aggregated and matched againewith the mac.address field name with common.role:* in same index and if any same mac.address comes without common.role:rogue value, it should be alerted.
Here the attempt is to detect the permitted rogue devices.
Looks like this can be achieved by taking the output of below aggregation and matching with the same index again with field common.role:* . Can some one please help me understand using which rule type i can create this cross correlation.
output of unique_macaccress aggregation should match again with same index A by keeping common.role:*
Please help me to resolve this.
Thanks in advance