++

Samirbous · Samirbous · commit 73891860e181 · 2025-12-15T10:59:30.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml
@@ -6,8 +6,9 @@ updated_date = "2025/12/15"
 [rule]
 author = ["Elastic"]
 description = """
-This rule uses alert data to determine when multiple alerts from different integrations involving the same destination.ip
-are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
+This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
+involving the same destination.ip are triggered. Analysts can use this to prioritize triage and response, as these IP address
+is more likely to be related to a compromise.
 """
 from = "now-8h"
 interval = "1h"
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml
@@ -6,8 +6,9 @@ updated_date = "2025/12/15"
 [rule]
 author = ["Elastic"]
 description = """
-This rule uses alert data to determine when multiple alerts from different integrations involving the same source.ip are
-triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
+This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
+involving the same source.ip are triggered. Analysts can use this to prioritize triage and response, as these IP addresses
+are more likely to be related to a compromise.
 """
 from = "now-8h"
 interval = "1h"
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml
@@ -6,8 +6,9 @@ updated_date = "2025/12/15"
 [rule]
 author = ["Elastic"]
 description = """
-This rule uses alert data to determine when multiple alerts from different integrations involving the same user.name are
-triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
+This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
+involving the same user.name are triggered. Analysts can use this to prioritize triage and response, as these users are
+more likely to be compromised.
 """
 from = "now-4h"
 interval = "1h"
