In this post, we’re going to build a multi event rule in Chronicle SIEM with a focus on joining multiple fields and triggering our rule based on event existence and a threshold for a set  of events being exceeded.

In previous multi-event rule videos, we discussed joining a single field in each event. But what if we want our rule to have greater rigidity? For example, just because the event happened on the same system is not enough, it needs to be performed on the same system by the same user to merit detection. 

Additionally, we want our rule to only trigger when criteria exceeds a specific threshold. Previously, we just triggered our detection on the presence of an event meeting our criteria, but now we want to detect when that criteria is seen n number of times.

While we've already used a count in the condition when aggregating events in a rule, now we will broaden this concept by combining an event variable’s existence and a threshold being exceeded by a different set of events.

Follow along in the video below to see in action how to use multiple joins and counts in conditions with a multi event rule.

Remember that in the condition section all events in the event section need to be represented, whether that is with the $event_variable, a #event_variable > n or a #placeholder_variable > n that denotes a distinct count of a specific placeholder variable value that must be reached for the rule to trigger.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events