text code block:from .alerts-security.* // any alerts excluding low severity, threat_match and machine_learning rules | where kibana.alert.rule.name is not null and destination.ip is not null and kibana.alert.risk_score > 21 and not kibana.alert.rule.type in ("threat_match", "machine_learning") // group alerts by destination.ip and extract values of interest for alert triage | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name), Esql.event_category_distinct_count = COUNT_DISTINCT(event.category), Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score), Esql.event_module_values = VALUES(event.module), Esql.rule_name_values = VALUES(kibana.alert.rule.name), Esql.message_values = VALUES(message), Esql.event_category_values = VALUES(event.category), Esql.event_action_values = VALUES(event.action), Esql.source_ip_values = VALUES(source.ip), Esql.host_id_values = VALUES(host.id), Esql.agent_id_values = VALUES(agent.id), Esql.user_name_values = VALUES(user.name), Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by destination.ip // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels or presence of high severity alerts | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99) | keep destination.ip, Esql.*
Install detection rules in Elastic Security
Detect Alerts From Multiple Integrations by Destination Address in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).