Multiple Alerts Involving a User
This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/16"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
10can use this to prioritize triage and response, as these users are more likely to be compromised.
11"""
12false_positives = [
13 """
14 False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
15 used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
16 to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
17 activity, or an upcoming incident.
18 """,
19]
20from = "now-24h"
21index = [".alerts-security.*"]
22interval = "1h"
23language = "kuery"
24license = "Elastic License v2"
25name = "Multiple Alerts Involving a User"
26risk_score = 73
27rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
28severity = "high"
29tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
30timestamp_override = "event.ingested"
31type = "threshold"
32
33query = '''
34signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
35'''
36
37
38
39[rule.threshold]
40field = ["user.name"]
41value = 1
42[[rule.threshold.cardinality]]
43field = "signal.rule.rule_id"
44value = 5
Related rules
- Multiple Alerts in Different ATT&CK Tactics on a Single Host
- Potential Buffer Overflow Attack Detected
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Unusual Discovery Signal Alert with Unusual Process Executable
- AWS Credentials Searched For Inside A Container