Update multiple_alerts_from_different_modules_by_srcip.toml

Samirbous · web-flow · commit 1a015e82f4e7 · 2025-12-18T17:49:46.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml
@@ -46,7 +46,7 @@ from .alerts-security.*
         Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by source.ip
 
 // filter for alerts from same source.ip reported by different integrations with unique categories and with different severity levels
-| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73)
+| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99)
 | keep source.ip, Esql.*
 '''
 note = """## Triage and analysis
