Multiple Alerts in Different ATT&CK Tactics on a Single Host
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/16"
3maturity = "production"
4updated_date = "2023/06/22"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
12triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
13"""
14false_positives = [
15 """
16 False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline
17 to determine which detections were triggered on the host.
18 """,
19]
20from = "now-24h"
21interval = "1h"
22index = [".alerts-security.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
26risk_score = 73
27rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
28severity = "high"
29tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
30timestamp_override = "event.ingested"
31type = "threshold"
32
33query = '''
34signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
35'''
36
37[rule.threshold]
38field = ["host.id"]
39value = 1
40
41[[rule.threshold.cardinality]]
42field = "kibana.alert.rule.threat.tactic.id"
43value = 3
Related rules
- Multiple Alerts Involving a User
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent
- Container Management Utility Run Inside A Container
- CyberArk Privileged Access Security Error