Correlated Alerts on Similar User Identities

  1[metadata]
  2creation_date = "2026/02/12"
  3maturity = "production"
  4updated_date = "2026/02/12"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9This rule correlates alerts from multiple integrations and event categories that involve different user.name values which
 10may represent the same real-world identity. It uses an LLM-based similarity analysis to evaluate whether multiple user identifiers
 11(e.g. naming variations, formats, aliases, or domain differences) likely belong to the same person.
 12"""
 13from = "now-60m"
 14interval = "30m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "Correlated Alerts on Similar User Identities"
 18references = [
 19    "https://www.elastic.co/docs/reference/query-languages/esql/esql-commands#esql-completion",
 20    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 21]
 22risk_score = 73
 23rule_id = "1bb329a5-2168-4da5-b7b9-d42a51deb6dd"
 24setup = """## Setup
 25
 26### LLM Configuration
 27
 28This rule uses the ES|QL COMPLETION command with Elastic's managed General Purpose LLM v2 (`.gp-llm-v2-completion`),
 29which is available out-of-the-box in Elastic Cloud deployments with an appropriate subscription.
 30
 31To use a different LLM provider (Azure OpenAI, Amazon Bedrock, OpenAI, or Google Vertex), configure a connector
 32following the [LLM connector documentation](https://www.elastic.co/docs/explore-analyze/ai-features/llm-guides/llm-connectors)
 33and update the `inference_id` parameter in the query to reference your configured connector.
 34"""
 35severity = "high"
 36tags = [
 37    "Domain: Identity",
 38    "Domain: LLM",
 39    "Use Case: Threat Detection",
 40    "Use Case: Identity and Access Audit",
 41    "Resources: Investigation Guide",
 42    "Rule Type: Higher-Order Rule",
 43]
 44timestamp_override = "event.ingested"
 45type = "esql"
 46
 47query = '''
 48from .alerts-security.*
 49
 50// truncate timestamp to 5-minute window
 51| eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp)
 52
 53// high severity alerts excluding system standard user.ids
 54| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score >= 73 and kibana.alert.workflow_status == "open" and 
 55        not kibana.alert.rule.type in ("threat_match", "machine_learning") and
 56        not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20", "0")
 57
 58// group alerts by short time window and extract values of interest for alert triage
 59| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
 60        Esql.user_name_distinct_count = COUNT_DISTINCT(user.name),
 61        Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
 62        Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
 63        Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
 64        Esql.event_module_values = VALUES(event.module),
 65        Esql.rule_name_values = VALUES(kibana.alert.rule.name),
 66        Esql.message_values = VALUES(message),
 67        Esql.event_category_values = VALUES(event.category),
 68        Esql.event_action_values = VALUES(event.action),
 69        Esql.source_ip_values = VALUES(source.ip),
 70        Esql.destination_ip_values = VALUES(destination.ip),
 71        Esql.host_id_values = VALUES(host.id),
 72        Esql.agent_id_values = VALUES(agent.id),
 73        Esql.rule_severity_values = VALUES(kibana.alert.risk_score),
 74        Esql.user_name_values = VALUES(user.name) by Esql.time_window_date_trunc
 75
 76// filter for alerts from different integrations with unique categories
 77| where Esql.event_module_distinct_count >= 2 and Esql.user_name_distinct_count >= 2 and Esql.event_category_distinct_count >= 2
 78
 79// build context for LLM analysis
 80| eval users_list = MV_CONCAT(Esql.user_name_values, ",")
 81
 82// LLM analysis
 83| eval instructions = "Analyze the provided user names and return a boolean value true if at least 2 of them are similar and they may belong to the same human identify or false if not, do not compare user names that may look like service accounts. If the list of users has more than 2 users and only 2 of them are similar consider this as true. Structure the output as follows: verdict=<verdict> confidence=<score> summary=<short reason max 500 words> without any other response statements on a single line."
 84| eval prompt = CONCAT("User identities extracted from different alerts: ", users_list, instructions)
 85| COMPLETION triage_result = prompt WITH { "inference_id": ".gp-llm-v2-completion"}
 86
 87// parse LLM response
 88| DISSECT triage_result """verdict=%{Esql.verdict} confidence=%{Esql.confidence} summary=%{Esql.summary}"""
 89
 90// filter for similar user values
 91| where TO_LOWER(Esql.verdict) == "true"
 92| keep Esql.*
 93'''
 94note = """## Triage and analysis
 95
 96> **Disclaimer**:
 97> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, analysts should validate findings against their environment and identity architecture.
 98
 99### Investigating Correlated Alerts on Similar User Identities
100
101This rule identifies alerts from multiple integrations and event categories involving different `user.name` values that may represent the same real-world identity.
102An LLM is used to assess string similarity and naming patterns to determine whether multiple user identifiers likely belong to the same person, which may indicate account compromise, credential abuse, or identity misuse across systems.
103
104### Possible investigation steps
105
106- Review the correlated `user.name` values and validate whether they represent naming variations, aliases, or identity mappings.
107- Examine the LLM output fields (`verdict`, `confidence`, `summary`) as decision support, not ground truth.
108- Analyze the diversity of alert sources, event categories, and detection rules involved.
109- Reconstruct the alert timeline to identify potential stages such as initial access, lateral movement, privilege escalation, or persistence.
110- Correlate with authentication logs, IAM/SSO telemetry, EDR data, and network logs to identify shared sessions, IPs, devices, or hosts.
111- Validate identities against directory services, identity providers, and federation mappings.
112
113### False positive analysis
114
115- Identity format variations across systems (e.g., `first.last`, `flast`, `user@domain`).
116- Federated identity mappings between on-prem, cloud, and SaaS platforms.
117- Service, automation, and CI/CD accounts with similar naming conventions.
118- Separate admin and standard user accounts for the same individual.
119- Shared credentials or naming templates in development and test environments.
120
121### Response and remediation
122
123- Temporarily disable or suspend correlated accounts if compromise is suspected.
124- Revoke active sessions, tokens, and credentials.
125- Investigate access scope, privileges, and lateral movement paths.
126- Perform endpoint and identity forensics to identify persistence mechanisms.
127- Remediate IAM misconfigurations and federation issues.
128- Enhance monitoring for identity correlation, credential misuse, and cross-platform abuse.."""