Hello @a2123k1 ,
You should be able to accomplish this relatively simply, just using the xdr_login_events preset. you can adjust the final login_count filter to whatever number of total events is rare enough for your user.
Just keep in mind that our OOTB analytics will do all this and more, with no extra work (just need the ITDR license). Any user logging into a host for the first time and doing anything on that host will generate alerts on that activity, far more effectively than a manual correlation rule
config timeframe = 30d |preset = xdr_login_events |filter action_user_status = ACTION_LOGIN and outcome = "SUCCESS" and dst_is_machine_account = "false" and action_local_ip not in ("",":1","127.0.0.1") |alter identity = login_data_dst_normalized_user -> identity, domain = login_data_dst_normalized_user -> domain |fields identity, domain, agent_hostname as dest_host, action_local_ip as source_ip , action*, actor*, *dst*, src* |comp count() as login_count by identity, domain , dest_host, source_ip addrawdata = true as rawdata |filter login_count = 1
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
Ashutosh Patil
