Skip to main content
Solved

Multiple diferent alerts from same source

  • January 7, 2026
  • 3 replies
  • 63 views
Bernaldo
Forum|alt.badge.img+1

Hi,

I’m trying to create an alert based on multiple alerts from the same source, my goal here is to raise an alert when more than 2 different alerts from the same source were triggered, and from there if i have two alerts with low severity maybe raise one with medium severity and if i have two medium rise one high an so on.

So far I have this alert:

rule Multiple_events_same_source {

  meta:

    author = ""
    description = "this rule "
    severity = "High"

  events:
    $e.detection.collection_elements.references.event.principal.hostname != ""
    $e.detection.collection_elements.references.event.principal.hostname = $SourceHost

    NOT $e.detection.detection.rule_name IN %WHITELIST_MULTIPLE_EVENTS_RULE

  match:
    $SourceHost over 1h

  outcome:
    $risk_score = 0

  condition:
    #e > 2 
}

  But what i want to achieve is to just get different alerts (by alert name), i mean, I just want this alert be triggered when the alert name of the events that make this alert raise was different one to the other.

 

¿Can someone help me with that task?

Best regards.

Best answer by Zorone Gimmy

You need to count unique alert names per source. Trigger the alert only if the number of distinct alert names exceeds your threshold. For example, use count(distinct $e.detection.detection.rule_name) > 2 in the condition to consider only different alerts and adjust severity based on their mix.

    3 replies

    Zorone Gimmy
    Forum|alt.badge.img+2
    • Zorone Gimmy
    • New Member
    • Answer
    • January 8, 2026

    You need to count unique alert names per source. Trigger the alert only if the number of distinct alert names exceeds your threshold. For example, use count(distinct $e.detection.detection.rule_name) > 2 in the condition to consider only different alerts and adjust severity based on their mix.

      AymanC
      Forum|alt.badge.img+14
      • AymanCBronze 5
      • Bronze 5
      • January 11, 2026

      Hi ​@Bernaldo,

       

      I think this use case is best suited for a composite detection - Composite detections overview  |  Google Security Operations  |  Google Cloud Documentation

       

      Determine the specific scenarios where composite rules can provide value. This includes detecting multi-stage attacks, correlating multiple low-confidence alerts into a single high-confidence alert, or enriching detections with additional context from other data sources.”

       

      Kind Regards,

      Ayman

        Bernaldo
        Forum|alt.badge.img+1
        • BernaldoBronze 1
        • Author
        • Bronze 1
        • January 14, 2026

        You need to count unique alert names per source. Trigger the alert only if the number of distinct alert names exceeds your threshold. For example, use count(distinct $e.detection.detection.rule_name) > 2 in the condition to consider only different alerts and adjust severity based on their mix.

        Hi,

        You’re right, that do the trick, i just add

         

        outcome:
            $Detections = count_distinct($e.detection.detection.rule_name)
         
          condition:
            #e > 2 AND $Detections >2
         
        Thanks.
        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.