Hi, I'm new with Elastic SIEM and now I need to create a rule to detect ssh successful login with multiple IP address with the same username. I wonder how can I create a rule like this since if I using Custon Query or Threshold type, it will be stick to 1 IP only.
filebaet and auditbeat is running already on the server and I can see SSH logs in the discovery
Thank you