Multiple Alerts Involving a User
This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/16"
3maturity = "production"
4updated_date = "2023/06/22"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
12can use this to prioritize triage and response, as these users are more likely to be compromised.
13"""
14false_positives = [
15 """
16 False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
17 used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
18 to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
19 activity, or an upcoming incident.
20 """,
21]
22from = "now-24h"
23interval = "1h"
24index = [".alerts-security.*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Multiple Alerts Involving a User"
28risk_score = 73
29rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
30severity = "high"
31tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
32timestamp_override = "event.ingested"
33type = "threshold"
34
35query = '''
36signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
37'''
38
39[rule.threshold]
40field = ["user.name"]
41value = 1
42
43[[rule.threshold.cardinality]]
44field = "signal.rule.rule_id"
45value = 5
Related rules
- Multiple Alerts in Different ATT&CK Tactics on a Single Host
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent
- Container Management Utility Run Inside A Container
- CyberArk Privileged Access Security Error