elastic · Samirbous · May 15, 2025
diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/04/29"
+updated_date = "2025/05/15"
 min_stack_version = "8.17.0"
 min_stack_comments = "Elastic ES|QL query functions limitation."
 
@@ -94,7 +94,7 @@ FROM logs-*, .alerts-security.*
 // aggregated alerts count by bucket and by source.ip
 | stats total_alerts = count(*), is_mail_access = COUNT_DISTINCT(mail_access_src_ip), is_azure = COUNT_DISTINCT(azure_src_ip), unique_dataset = COUNT_DISTINCT(event.dataset),is_network_alert = COUNT_DISTINCT(network_alert_src_ip), datasets = VALUES(event.dataset), rules = VALUES(kibana.alert.rule.name), cat = VALUES(event.category) by source_ip = TO_IP(source.ip)
 // filter for cases where there is a successful sign-in to azure or m365 mail and the source.ip is reported by a network external alert.
-| where is_network_alert  > 0 and (is_mail_access > 0 or is_azure > 0 and unique_dataset >= 2)
+| where is_network_alert  > 0 and unique_dataset >= 2 and (is_mail_access > 0 or is_azure > 0) and total_alerts <= 100
 '''