Support for new fields in correlation rule form context

[mjabascal10]

Describe the feature

The correlation rule form allows users to define conditions to detect complex patterns of events. To enhance rule precision and event management, two new fields will be added to the rule schema and UI.

New Fields
AfterEvents ([]SearchRequest):
A list of additional conditions that must occur after the main event. Each condition can have its own index pattern, expression list, optional OR blocks, time window (within), and occurrence count. This enables modeling of sequences or follow-up actions.

DeduplicatedBy ([]string):
A list of fields used to deduplicate correlated events, such as "source_ip" or "hostname". This helps avoid generating multiple incidents for the same root pattern.

Use Case

Adding support for afterEvents and deduplicatedBy enables more accurate and flexible correlation rules by:

Allowing the definition of multi-step attack sequences through post-event conditions.

Reducing alert noise by deduplicating events based on custom criteria, improving detection quality and operational efficiency.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change