++

Samirbous · Samirbous · commit 1f3f16f463c3 · 2025-12-15T11:14:16.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml
@@ -26,14 +26,14 @@ query = '''
 from .alerts-security.*  metadata _id
 
 // any alerts excluding low severity and the noisy ones
-| where kibana.alert.rule.name is not null and destination.ip is not null and kibana.alert.rule.severity != "low" and
+| where kibana.alert.rule.name is not null and destination.ip is not null and kibana.alert.risk_score > 21 and
         not kibana.alert.rule.name in ("Threat Intel IP Address Indicator Match", "Threat Intel Indicator Match", "Agent Spoofing - Mismatched Agent ID")
 
 // group alerts by source.ip and extract values of interest for alert triage
 | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
         Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
         Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
-        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.rule.severity),
+        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
         Esql.event_module_values = VALUES(event.module),
         Esql.rule_name_values = VALUES(kibana.alert.rule.name),
         Esql.message_values = VALUES(message),
@@ -42,7 +42,7 @@ from .alerts-security.*  metadata _id
         Esql.host_id_values = VALUES(host.id),
         Esql.agent_id_values = VALUES(agent.id),
         Esql.user_name_values = VALUES(user.name),
-        Esql.rule_severity_values = VALUES(kibana.alert.rule.severity) by destination.ip
+        Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by destination.ip
 
 // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels
 | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and Esql.rule_severity_distinct_count >= 2
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml
@@ -26,14 +26,14 @@ query = '''
 from .alerts-security.*  metadata _id
 
 // any alerts excluding low severity and the noisy ones
-| where kibana.alert.rule.name is not null and source.ip is not null and kibana.alert.rule.severity != "low" and
+| where kibana.alert.rule.name is not null and source.ip is not null and kibana.alert.risk_score > 21 and
         not kibana.alert.rule.name in ("Threat Intel IP Address Indicator Match", "Threat Intel Indicator Match", "Agent Spoofing - Mismatched Agent ID")
 
 // group alerts by source.ip and extract values of interest for alert triage
 | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
         Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
         Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
-        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.rule.severity),
+        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
         Esql.event_module_values = VALUES(event.module),
         Esql.rule_name_values = VALUES(kibana.alert.rule.name),
         Esql.message_values = VALUES(message),
@@ -42,7 +42,7 @@ from .alerts-security.*  metadata _id
         Esql.host_id_values = VALUES(host.id),
         Esql.agent_id_values = VALUES(agent.id),
         Esql.user_name_values = VALUES(user.name),
-        Esql.rule_severity_values = VALUES(kibana.alert.rule.severity) by source.ip
+        Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by source.ip
 
 // filter for alerts from same source.ip reported by different integrations with unique categories and with different severity levels
 | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and Esql.rule_severity_distinct_count >= 2
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml
@@ -26,15 +26,15 @@ query = '''
 from .alerts-security.*  metadata _id
 
 // any alerts excluding low severity and the noisy ones
-| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.rule.severity != "low" and
+| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score > 21 and
         not kibana.alert.rule.name in ("Threat Intel IP Address Indicator Match", "Threat Intel Indicator Match", "Agent Spoofing - Mismatched Agent ID") and
         not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
 
 // group alerts by source.ip and extract values of interest for alert triage
 | stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
         Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
         Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
-        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.rule.severity),
+        Esql.rule_severity_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
         Esql.event_module_values = VALUES(event.module),
         Esql.rule_name_values = VALUES(kibana.alert.rule.name),
         Esql.message_values = VALUES(message),
@@ -44,7 +44,7 @@ from .alerts-security.*  metadata _id
         Esql.host_id_values = VALUES(host.id),
         Esql.agent_id_values = VALUES(agent.id),
         Esql.user_id_values = VALUES(user.id),
-        Esql.rule_severity_values = VALUES(kibana.alert.rule.severity) by user.name
+        Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by user.name
 
 // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels
 | where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and Esql.rule_severity_distinct_count >= 2
