[New] Elastic Defend and Email Alerts Correlation (#5336)

* Create multiple_alerts_email_elastic_defend_correlation.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml

* Update rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml

Co-authored-by: Copilot <[email protected]>

* Update multiple_alerts_email_elastic_defend_correlation.toml

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: shashank-elastic <[email protected]>

Author: 3 people

rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml

@@ -0,0 +1,82 @@
+[metadata]
+creation_date = "2025/11/19"
+maturity = "production"
+updated_date = "2025/11/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate
+the successful execution of a phishing attack.
+"""
+from = "now-1h"
+interval = "45m"
+language = "esql"
+license = "Elastic License v2"
+name = "Elastic Defend and Email Alerts Correlation"
+risk_score = 73
+rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10"
+severity = "high"
+tags = [
+    "Use Case: Threat Detection",
+    "Rule Type: Higher-Order Rule",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Domain: Email",
+    "Domain: Endpoint"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-* metadata _id
+// Email or Elastic Defend alerts where user name is populated
+| where
+  (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or
+  (event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null)
+
+// extract target user name from email and endpoint alerts
+| eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null),
+       elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null)
+| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name)
+| where Esql.target_user_name is not null
+
+// group by Esql.target_user_name
+| stats Esql.alerts_count = COUNT(*),
+        Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
+        Esql.event_module_values = VALUES(event.module),
+        Esql.message_values = VALUES(message),
+        Esql.event_action_values = VALUES(event.action),
+        Esql.process_executable_values = VALUES(process.executable),
+        Esql.host_id_values = VALUES(host.id),
+        Esql.source_user_name = VALUES(source.user.name),
+        Esql.rule_name_values = VALUES(rule.name)
+        by Esql.target_user_name
+// alert when same user is observed in an endpoint and email alert
+| where Esql.event_module_distinct_count >= 2
+| keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values
+'''
+note = """## Triage and analysis
+### Investigating Elastic Defend and Email Alerts Correlation
+
+This rule correlates any Elastic Defend alert with an email security related alert by target user name.
+
+### Possible investigation steps
+- Review the alert details to identify the specific host and users involved.
+- Investigate the individual alerts for the target user name and see if they are related.
+- Review all emails received from Esql.source_user_name and if there are other impacted users.
+- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
+- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.
+
+### False positive analysis
+- Legitimate email marked as suspicious.
+- Legitimate file or behavior marked as suspicious by Elastic Defend.
+- Unrelated alerts where the target user name is too generic.
+
+### Response and remediation
+- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
+- Conduct a thorough forensic analysis of the host.
+- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
+- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
+- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
+- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign."""