Multiple Alerts Involving a User

Last updated 4 months ago on 2025-01-15

Created 2 years ago on 2022-11-16

About

This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.

Tags: Use Case: Threat DetectionRule Type: Higher-Order RuleLanguage: kuery
Severity: high
Risk Score: 73
False Positive Examples: False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: .alerts-security.*
Related Integrations: (opens in a new tab or window)
Query

signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")

Install detection rules in Elastic Security

Detect Multiple Alerts Involving a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).