I have a use case which I am not yet sure can be fulfilled by Elastic SIEM. I have created some different behavioral rules to detect ransomware activities and they work such as the deletion of restore of files and mass editing of files etc. Now what we want to do is combine this multiple behavioral detection rules to create a single rule saying that a Ransomware attack has taken place.
Multiple other SIEM vendors do this where they combine multiple rules to alert one general attack.
One way that has worked for me is to use a threshold rule to tie them together. index would be .siem-signals-default-* (if left at default)
If you create your other rules with a name prefix such as possible ransomware -
In the threshold then the query would be signal.rule.name : possible ransomware*
Then the filter on the host.name. Threshold say >=2 if you want the rule to trigger if more than 2 of your sub rules have triggered on a host.
Hope that helps