Implement Sigma Correlation rules

[pr3l14t0r]

Is your feature request related to a problem?
I can't come up with a nice and easy way to build aggregated alerts within the securty-analytics plugin. I am talking about alerts like Multiple failed logins for user XY or alike.
I know there are Correlation Rules but they do not refer to detection rules as base, but rather use own queries to correlate findings between sources.
Why is that? I would like to say: "If detection rule X has followed on detection rule Y in a timespan of 10min and field username is same, create a more severe alert".

Sigma has the possibility of writing Correlations, directly in yaml, which would be super nice to have in the security-analytics plugin. They call this "Meta Rules". This would be super handy for the security-analytics plugin.

What solution would you like?
I would like to be able to use Correlations as defined by Sigma within the syntax/ yaml structure of a detection rule. This would allow me to have rules and aggregations in the same place (see additional context for more information).

What alternatives have you considered?
An obvious alternative would be to use the good old Alerting plugin directly, to achieve these kind of aggregated/correlated alerts. But this would require to use another syntax (json) in another place (alerting) to achieve a functionality that i would expect in the SIEM itself, referring to the security analytics plugin.

Do you have any additional context?
A detection rule with correlation according to Sigma could look like the following, where a failed logon from Google Workspace is taken as example. Both yaml declarations for the detection rule and the correlation rule are located in the same file, separated by --- :

id: 25b9c01c-350d-4b95-bed1-836d04a4f324
logsource:
  product: gworkspace
title: Google Workspace Login failed
description: >-
  A user attempted to log in to a Google workspace account without success.
  Check the event parameters login_failure_type and login_challenge_method for
  more information.
tags: []
falsepositives:
  - A user has entered a wrong password.
level: high
status: test
references:
  - >-
    https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#login_failure
author: pr3l14t0r
detection:
  condition: Selection_1
  Selection_1:
    event.name|contains:
      - login_failure
---
title: Multiple failed logons for a single user (possible brute force attack)
status: test
correlation: 
    type: event_count
    rules:
        - 25b9c01c-350d-4b95-bed1-836d04a4f324
    group-by:
        - event.name
    timespan: 15m
    condition:
        gte: 3
tags:
    - brute_force
    - attack.t1110

Outro

Maybe there's already a solution for my question, yet i did not find something in the documentation of security-analytics. If there's something and i am just too stupid to see or find it, please guard me into the right direction! :)

[dblock]

[Catch All Triage - 1, 2, 3, 4, 5]

[agoerl]

I second that motion!