I have a question about directive-event based on your previous conversation related to cross-correlation
how can I do correlation based on directive-event?
for example I have a rule that detect bruteforce attack and now I need to write a rule to detect user creation after bruteforce attack to a server. so I'm going to write this rule. at first level I've added plugin-id 1505(directive-event) with plugin-sid 500024(windows bruteforce attack) and at second level I've used user creation plugin-id and plugin-sid but this rule does not work because the first level can not match despite that I see directive-event's log message on siem console.
how can I solve this problem?