Hey folks, Trying to implement some sort of risk-based alerting to the Chronicle. I know that Chronicle has risk_score in the outcome section but it doesn't allow me to tie in multiple events.
For example -
Day 1 - user A is going to leave the organisation - risk_score =5
Day -7 - user A is downloads a bunch of files to his personal email - risk_score=10
Day 10 - user B clones 10 repos - risk_score = 10

These are individual detection event.

Now tie all this together and say if the user has crossed a particular threshold, then alert on it. For example - the above user A has exceeded the risk threshold 13 in the last 10 days, so needs to be investigated and not the user B because that might be just part of work. And maybe show an activity timeline of all the events as well.

Any thoughts on this will be greatly appreciated (PS - we use Siemplify too - so if it can be done on a combination would welcome that too)