false positives can occur with generic built-in accounts, such as administrator, admin, etc. if they are widespread used in your environment. as a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident.

cross-platform
elastic

Techniques

Sample rules

Multiple Alerts Involving a User

source: elastic
technicques:

Description

This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.

Detection logic

signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")