Aggregation in SO Playbooks

[spvcxsh1p]

Hello!
I am using Security Onion version 2.3.260.

I need to create a Playbook using event aggregation. Below is an example of a SIGMA rule for such a Playbook:

title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
logsource:
category: firewall
detection:
selection:
action: denied
timeframe: 24h
condition:
- selection | count(dst_port) by src_ip > 10
- selection | count(dst_ip) by src_ip > 10
fields:
- src_ip
- dst_ip
- dst_port
falsepositives:
- Inventarization systems
- Vulnerability scans
- Penetration testing activity
level: medium

However, in the Playbook module, under "Create New Play," when attempting to convert this Sigma rule into an SO Elasticsearch Query, I receive the following response:

"An unsupported feature is required for this Sigma rule (/tmp/tmpwln7xqw6): Aggregations not implemented for this backend
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma "

As far as I understand, the ElastAlert module, which the SIGMA rule is supposed to convert into, does not support aggregation.
Correlation functions in SIGMA rules also appear to be unsupported in ElastAlert, as far as I can tell.

Could you please confirm if my understanding is correct? Also, is there any other way I can implement similar rule logic in SO version 2.3.260?

[InfosecGoon]

Sigma is a vendor-agnostic metalanguage designed to work on a number of different backends, not just Elasticsearch. The correlation feature that this rule uses may be supported elsewhere, but it is not supported in Elasticsearch.

Also, just so you know, the 2.3.x versions of Security Onion are EOL and are no longer being supported or updated.

[spvcxsh1p]

Hello!
I understand that the SO I use is outdated, but unfortunately, this is not my responsibility.
Are there any other options to implement the logic I described in the rule on this version of SO? Maybe it is possible to do something similar by directly writing a rule for ElastAlert?

[InfosecGoon]

Not that I'm aware of. This sort of correlation is not supported in Elasticsearch queries.