Threat Detection based on Anomaly detection

[sharraj]

We are exploring a use case to achieve threat detections based on Machine learning, like say using Anomaly detection algorithm. An example use case -

title: Anomaly in failed or successful logons
id:
description: Detects significant increase in failed logins or successful logins within a certain amount of time
name: multiple_failed_successful_login
correlation:
type: event_count
rules:
- failed_login
- success_login
group-by:
- User
timespan: 10m
condition:
anomaly

Is there a way to specify such SIGMA rules ?

[nasbench]

What you're looking for are correlation rules, you can check out the specs to learn how to express them https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md and read this blog https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527