You might try something like this:
- Insert the destination user into a watchlist with a timeout equal to your period of interest.
- Update the list on each malware event to refresh the timer.
- Create a correlation rule that fires if the user is in the list and the time since the last event is greater than, say, 30 minutes...and I'm not sure how this bit would be done without trying it.
You need to put a delay in before triggering the correlation rule to take into account the fact that many events come in short bursts triggered by a single user action.
Thanks for your response Andrew I will be looking into your recommendation and creating a test rule.
So far I managed to get the rule to trigger with the attached configuration, monitoring the destination field.
The objective of this rule is to monitor repeat offenders and trend the data based on BU etc.
I will still dig around more. If anyone has something similiar working please share the information.