How would one go about creating a rule that alerts if a user account is created, then deleted before a certain amount of time has passed (e.g. 24 hours) ?
It would probably look like:
NewDomainMember EXISTS
AND DeleteDomainMember EXISTS
AND NewDomainMember.DestinationAccount = DeleteDomainMember.DestinationAccount
within time/response window 24 hours
(The first two lines with the EXISTS are redundant to the third but help you see what's going on.)
The downside of this is you expand your global response window to whatever that period is (24 hours), which means your appliance might hold onto more data longer in memory. To test it I'd set the time period short and see how it works.
