text code block:from .alerts-security.* // any alerts excluding low severity and the noisy ones | where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score > 21 and not kibana.alert.rule.type in ("threat_match", "machine_learning") and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20", "0") // group alerts by user.name and extract values of interest for alert triage | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name), Esql.event_category_distinct_count = COUNT_DISTINCT(event.category), Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score), Esql.event_module_values = VALUES(event.module), Esql.rule_name_values = VALUES(kibana.alert.rule.name), Esql.message_values = VALUES(message), Esql.event_category_values = VALUES(event.category), Esql.event_action_values = VALUES(event.action), Esql.source_ip_values = VALUES(source.ip), Esql.destination_ip_values = VALUES(destination.ip), Esql.host_id_values = VALUES(host.id), Esql.agent_id_values = VALUES(agent.id), Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by user.name, user.id // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99) | keep user.name, Esql.*
Install detection rules in Elastic Security
Detect Alerts From Multiple Integrations by User Name in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).