text code block:from .alerts-security.* // any alerts excluding low severity and the noisy ones | where kibana.alert.rule.name is not null and source.ip is not null and kibana.alert.risk_score > 21 and not kibana.alert.rule.type in ("threat_match", "machine_learning") // group alerts by source.ip and extract values of interest for alert triage | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name), Esql.event_category_distinct_count = COUNT_DISTINCT(event.category), Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score), Esql.event_module_values = VALUES(event.module), Esql.rule_name_values = VALUES(kibana.alert.rule.name), Esql.message_values = VALUES(message), Esql.event_category_values = VALUES(event.category), Esql.event_action_values = VALUES(event.action), Esql.destination_ip_values = VALUES(destination.ip), Esql.host_id_values = VALUES(host.id), Esql.agent_id_values = VALUES(agent.id), Esql.user_name_values = VALUES(user.name), Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by source.ip // filter for alerts from same source.ip reported by different integrations with unique categories and with different severity levels | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99) | keep source.ip, Esql.*
Install detection rules in Elastic Security
Detect Alerts From Multiple Integrations by Source Address in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).