This rule aims to enhance security alert triage by correlating multiple security alerts related to the same user across different hosts and data sources. Utilizing the Elastic Search Query Language (ESQL) and Elastic's managed LLM (Large Language Model), the rule analyzes alert patterns, MITRE tactics, and geographic anomalies to determine if a user account may be compromised. The rule assesses if a user exhibits signs of credential theft or unauthorized access and produces a confidence score alongside a verdict that aids analysts in prioritizing their investigations accordingly. The alerts are initially filtered based on specific criteria to focus on significant cases, ensuring the analysis is robust and targeted. Follow-up actions depend on the LLM's findings.