our company is trying to take advantage of the new analytics capabilities offered by the 10.4 and the live content. We are developing ESA rules to detect threats based on their category.
For example a windows malware category alert needs to fire only if another ESA rules already fired (some sort of prerequisite). Is there a way to reference the "output" of a rule from within another rule, without copying all the content inside a single element?
Let me know if you already found other ways around this kind of problems.