Elastic Security Detection Rules

Multiple External EDR Alerts by Host

Last updated 3 days ago on 2026-01-09
Created 3 days ago on 2026-01-09

About

This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Tags
Use Case: Threat DetectionRule Type: Higher-Order RuleDomain: EndpointLanguage: esql
Severity
high
Risk Score
73
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(external, opens in a new tab or window)

Query
text code block:
from .alerts-security.*
| WHERE event.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and
        host.id is not null and kibana.alert.risk_score > 21 and
        not (event.module == "crowdstrike" and (kibana.alert.rule.name like "* at *" or kibana.alert.rule.name like "* on *" or kibana.alert.rule.name == "EICARTestFileWrittenWin"))
| stats Esql.alerts_count = COUNT(*),
        Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
        Esql.unique_rules_count = COUNT_DISTINCT(kibana.alert.rule.name),
        Esql.processes_count = COUNT_DISTINCT(process.executable),
        Esql.files_count = COUNT_DISTINCT(file.path),
        Esql.process_cmdline_count = COUNT_DISTINCT(process.command_line),
        Esql.rule_risk_score_values = VALUES(kibana.alert.risk_score),
        Esql.process_path_values = VALUES(process.executable),
        Esql.file_path_values = VALUES(file.path),
        Esql.user_name_values = VALUES(user.name),
        Esql.process_command_line_values = VALUES(process.command_line),
        Esql.process_parent_command_line_values = VALUES(process.parent.command_line),
        Esql.rule_name_values = VALUES(kibana.alert.rule.name) by host.id, host.name, event.module
| where (
	// 3+ unique rules or processes
  (
    Esql.unique_rules_count >= 3 or
    (Esql.processes_count >= 3 and Esql.rule_name_values == "External Alerts")
  ) and
  	// and 2+ rules of different severity, or 1 high/critical severity rule
  (
    Esql.rule_risk_score_distinct_count >= 2 or
    Esql.rule_risk_score_values == 73 or
    Esql.rule_risk_score_values == 99
  )
) or
  // or 5+ unique rules from the same host for 1+ path/command_line/process
  (Esql.unique_rules_count >= 5 and Esql.alerts_count <= 50 and
  (Esql.files_count >= 1 or Esql.process_cmdline_count >= 1 or Esql.processes_count >= 1)
)
| KEEP event.module, host.id, host.name, Esql.*

Install detection rules in Elastic Security

Detect Multiple External EDR Alerts by Host in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).