Multiple Alerts Involving a User

This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/16"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
10can use this to prioritize triage and response, as these users are more likely to be compromised.
11"""
12false_positives = [
13    """
14    False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
15    used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
16    to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
17    activity, or an upcoming incident.
18    """,
19]
20from = "now-24h"
21index = [".alerts-security.*"]
22interval = "1h"
23language = "kuery"
24license = "Elastic License v2"
25name = "Multiple Alerts Involving a User"
26risk_score = 73
27rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
28severity = "high"
29tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
30timestamp_override = "event.ingested"
31type = "threshold"
32
33query = '''
34signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
35'''
36
37
38
39[rule.threshold]
40field = ["user.name"]
41value = 1
42[[rule.threshold.cardinality]]
43field = "signal.rule.rule_id"
44value = 5

Related rules

to-top