You could accomplish something similar using InsightConnect or your own API scripting.
You have a few trigger options.
You can trigger from a detection rule itself, but this does not allow you to write back to an investigation or alert with the details of what the automation did.
You can trigger from an Alert or you can trigger from an investigation. Both allow you to make a record within the UI of IDR to showcase what the automation results were.
Once you decide that, your next step is to create a Global Artifact.
You need to define the schema. It should be an array of objects.
Probably you will want Impacted User (Data Type String), Alert Rule 1 (Boolean), Alert Rule 2(Boolean), Enabled (Boolean), Date
Now when your detection/alert/investigation fires it sends the payload to InsightConnect.
Your logic roughly would look like this:
InsightConnect will look the user up in the global artifact list. Does the user exist is question 1. If the user doesn’t exist, it will create a new entry in the Global Artifact with this user, and mark either rule 1 or rule 2 as true, also adding a date and time.
If the user does already exist it means that either rule one or rule 2 is already marked as true.
Do a time comparison to see if the time it was last marked as true is within your acceptable time frame. If yes, mark the second field as true, and go to whatever it is you want it to do.
If it is out of the time frame you were thinking of, it could mark the other field as false, update the current field as true, and then add a newly updated time.
That is really rough logic, but the concept is sound, and I do have customers that employ this in their environment today.