Multiple Alerts in Different ATT&CK Tactics on a Single Host

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/16"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
10triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
11"""
12false_positives = [
13    """
14    False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline
15    to determine which detections were triggered on the host.
16    """,
17]
18from = "now-24h"
19index = [".alerts-security.*"]
20interval = "1h"
21language = "kuery"
22license = "Elastic License v2"
23name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
24risk_score = 73
25rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
33'''
34
35
36
37[rule.threshold]
38field = ["host.id"]
39value = 1
40[[rule.threshold.cardinality]]
41field = "kibana.alert.rule.threat.tactic.id"
42value = 3

Related rules

to-top