Elastic Security Detection Rules

Alerts From Multiple Integrations by User Name

Last updated 16 days ago on 2026-02-16
Created 3 months ago on 2025-12-15

About

This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and involving the same user.name are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.
Tags
Use Case: Threat DetectionRule Type: Higher-Order RuleLanguage: esql
Severity
high
Risk Score
73
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(external, opens in a new tab or window)

Query
text code block:
from .alerts-security.*

// any alerts excluding low severity and the noisy ones
| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score > 21 and
        not kibana.alert.rule.type in ("threat_match", "machine_learning") and 
        not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20", "0") and
        not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) and
        // Top noisy influencing rules
        // Agent Spoofing - Mismatched Agent ID
        // Compression DLL Loaded by Unusual Process
        // Process Termination followed by Deletion 
        // Suspicious PrintSpooler Service Executable File Creation
        // Potential PrintNightmare File Modification
        // Multiple Vault Web Credentials Read
        // Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
        not kibana.alert.rule.rule_id in ("3115bd2c-0baa-4df0-80ea-45e474b5ef93", "d197478e-39f0-4347-a22f-ba654718b148", "09443c92-46b3-45a4-8f25-383b028b258d", "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "5e87f165-45c2-4b80-bfa5-52822552c997", "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "994e40aa-8c85-43de-825e-15f665375ee8")
        
// group alerts by user.name and extract values of interest for alert triage
| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
        Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
        Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
        Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
        Esql.event_module_values = VALUES(event.module),
        Esql.rule_name_values = VALUES(kibana.alert.rule.name),
        Esql.message_values = VALUES(message),
        Esql.event_category_values = VALUES(event.category),
        Esql.event_action_values = VALUES(event.action),
        Esql.source_ip_values = VALUES(source.ip),
        Esql.destination_ip_values = VALUES(destination.ip),
        Esql.host_id_values = VALUES(host.id),
        Esql.agent_id_values = VALUES(agent.id),
        Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by user.name, user.id

// filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels
| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99)
| keep user.name, Esql.*

Install detection rules in Elastic Security

Detect Alerts From Multiple Integrations by User Name in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).