One of the computers that I'm responsible for securing has a program on it that will (sometimes) add large numbers of users and groups within a few seconds. Clearly, this creates way too many alerts. However, immediately before adding any new accounts, it always logs a specific entry to /var/log/secure (ex: user-creator[1234]: Adding new users). How would I create a rule that reduces the severity of rules 5901 (New Group) and 5902 (new user) only when they trigger within (say) 5 seconds of the entry by user-creator?
Thanks. Greg