Update multiple_alerts_from_different_modules_by_dstip.toml

Samirbous · web-flow · commit d87df0f0f487 · 2025-12-18T17:49:11.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml
@@ -45,7 +45,7 @@ from .alerts-security.*
         Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by destination.ip
 
 // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels or presence of high severity alerts
-| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73)
+| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99)
 | keep destination.ip, Esql.*
 '''
 note = """## Triage and analysis
