This detection rule identifies instances where multiple external EDR (Endpoint Detection and Response) alerts are triggered for the same host within a specified time frame. It employs ESQL (Elastic Search Query Language) to parse alert data from various security vendors, including CrowdStrike and Microsoft 365 Defender. The rule aggregates and counts alerts, unique rules, processes, and associated file paths, flagging hosts for triage based on alert frequency and severity. It assists analysts in prioritizing responses to potential compromises, particularly those involving coordinated attacks that exploit vulnerabilities across multiple endpoints. By focusing on alerts that exceed certain thresholds related to unique rules and risk scores, the rule seeks to enhance detection accuracy while minimizing noise from routine activities. Analysts are guided through investigation, false positive analysis, and recommended response actions to effectively manage potential incidents.