forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
multiple_alerts_different_tactics_host.toml
44 lines (37 loc) · 1.18 KB
/
multiple_alerts_different_tactics_host.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
"""
false_positives = [
"""
False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline
to determine which detections were triggered on the host.
""",
]
from = "now-24h"
index = [".alerts-security.*"]
interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
risk_score = 73
rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
severity = "high"
tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
'''
[rule.threshold]
field = ["host.id"]
value = 1
[[rule.threshold.cardinality]]
field = "kibana.alert.rule.threat.tactic.id"
value = 3