Update multiple_alerts_from_different_modules_by_user.toml

Samirbous · web-flow · commit fcd07c720373 · 2025-12-18T17:50:05.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml
@@ -47,7 +47,7 @@ from .alerts-security.*
         Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by user.name, user.id
 
 // filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels
-| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73)
+| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99)
 | keep user.name, Esql.*
 '''
 note = """## Triage and analysis
