[Tuning] Elastic Defend and Network Security Alerts Correlation (#5518)

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/18"
 integration = ["endpoint", "panw", "fortinet_fortigate", "suricata"]
 maturity = "production"
-updated_date = "2025/11/28"
+updated_date = "2025/12/30"
 
 [rule]
 author = ["Elastic"]
@@ -42,7 +42,7 @@ FROM logs-* metadata _id
 
         // Fortigate suspicious events
         (event.dataset == "fortinet_fortigate.log" and
-         (event.action in ("outbreak-prevention", "deny", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or
+         (event.action in ("outbreak-prevention", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or
 
         // Suricata
         (event.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected"))
@@ -56,19 +56,24 @@ FROM logs-* metadata _id
 // group by host_source_ip shared between FG/PANW and Elastic Defend
 | stats Esql.alerts_count = COUNT(*),
         Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
+        Esql.message_values_distinct_count = COUNT_DISTINCT(message),
         Esql.event_module_values = VALUES(event.module),
         Esql.message_values = VALUES(message),
         Esql.event_action_values = VALUES(event.action),
         Esql.process_executable_values = VALUES(process.executable),
+        Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
+        Esql.process_cmdline_values = VALUES(process.command_line),
+        Esql.file_path_values = VALUES(file.path),
+        Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
         Esql.host_id_values = VALUES(host.id),
         Esql.user_name_values = VALUES(user.name),
         Esql.destination_ip_values = VALUES(destination.ip)
         by Esql.source_ip
-| where Esql.event_module_distinct_count >= 2
+| where Esql.event_module_distinct_count >= 2 AND Esql.message_values_distinct_count >= 2
 | eval concat_module_values = MV_CONCAT(Esql.event_module_values, ",")
 // Make sure an endpoint alert is present along one of the network ones
 | where concat_module_values like "*endpoint*"
-| keep Esql.alerts_count, Esql.source_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
+| keep Esql.*
 '''
 note = """## Triage and analysis