heroui logo

Multiple Alerts Involving a User

Elastic Detection Rules

View Source
Summary
The rule titled "Multiple Alerts Involving a User" focuses on detecting patterns of suspicious user activity by monitoring alert data generated by various security alerts. This rule is designed to help security analysts prioritize their response by flagging instances where a single user account triggers multiple alerts within a 24-hour period. The rationale is grounded in the understanding that compromised accounts tend to exhibit unusual behavior resulting in several alerts, thereby indicating an elevated risk of a security incident. The rule utilizes a threshold approach, counting unique alerts associated with a user while excluding known system accounts. This helps to avoid noise from automated processes and generic accounts, aiming to surface genuine threats that require immediate investigation. The accompanying investigation guide offers detailed triage steps, potential false positive scenarios, and recommendations for response and remediation, emphasizing the importance of understanding user behavior and roles within the organization to effectively distinguish between benign and malicious activities.
Categories
  • Endpoint
  • Cloud
  • Identity Management
Data Sources
  • User Account
  • Application Log
  • Network Traffic
Created: 2022-11-16