Multiple Alerts Involving a User

 1[metadata]
 2creation_date = "2022/11/16"
 3maturity = "production"
 4updated_date = "2023/06/22"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
12can use this to prioritize triage and response, as these users are more likely to be compromised.
13"""
14false_positives = [
15    """
16    False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
17    used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
18    to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
19    activity, or an upcoming incident.
20    """,
21]
22from = "now-24h"
23interval = "1h"
24index = [".alerts-security.*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Multiple Alerts Involving a User"
28risk_score = 73
29rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
30severity = "high"
31tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
32timestamp_override = "event.ingested"
33type = "threshold"
34
35query = '''
36signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
37'''
38
39[rule.threshold]
40field = ["user.name"]
41value = 1
42
43[[rule.threshold.cardinality]]
44field = "signal.rule.rule_id"
45value = 5