Multiple Alerts in Different ATT&CK Tactics on a Single Host
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/16"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
10triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
11"""
12false_positives = [
13 """
14 False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline
15 to determine which detections were triggered on the host.
16 """,
17]
18from = "now-24h"
19index = [".alerts-security.*"]
20interval = "1h"
21language = "kuery"
22license = "Elastic License v2"
23name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
24risk_score = 73
25rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
33'''
34
35
36
37[rule.threshold]
38field = ["host.id"]
39value = 1
40[[rule.threshold.cardinality]]
41field = "kibana.alert.rule.threat.tactic.id"
42value = 3
Related rules
- Multiple Alerts Involving a User
- Potential Buffer Overflow Attack Detected
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Unusual Discovery Signal Alert with Unusual Process Executable
- AWS Credentials Searched For Inside A Container