forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
multiple_alerts_involving_user.toml
46 lines (39 loc) · 1.36 KB
/
multiple_alerts_involving_user.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
can use this to prioritize triage and response, as these users are more likely to be compromised.
"""
false_positives = [
"""
False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
activity, or an upcoming incident.
""",
]
from = "now-24h"
index = [".alerts-security.*"]
interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Multiple Alerts Involving a User"
risk_score = 73
rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
severity = "high"
tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
'''
[rule.threshold]
field = ["user.name"]
value = 1
[[rule.threshold.cardinality]]
field = "signal.rule.rule_id"
value = 5