[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…

…st (#2399) * [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host * Update definitions.py * Update rules/cross-platform/multiple_alerts_different_tactics_host.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit a7caa4b)
elastic · Nov 18, 2022 · 8641dab · 8641dab
1 parent cca65d1
commit 8641dab
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -99,5 +99,9 @@
     "kubernetes.audit.responseStatus.reason": "keyword",
     "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword", 
     "kubernetes.audit.requestObject.spec.containers.image": "text"
+  },
+  ".alerts-*": {
+    "signal.rule.name": "keyword",
+    "kibana.alert.rule.threat.tactic.id": "keyword"
   }
 }
diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py
@@ -48,7 +48,8 @@
     '4d4c0b59-ea83-483f-b8c1-8c360ee53c5c': 'Comprehensive File Timeline',
     'e70679c2-6cde-4510-9764-4823df18f7db': 'Comprehensive Process Timeline',
     '300afc76-072d-4261-864d-4149714bf3f1': 'Comprehensive Network Timeline',
-    '3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline'
+    '3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline',
+    '4434b91a-94ca-4a89-83cb-a37cdc0532b7': 'Alerts Involving a Single Host Timeline'
 }
 
 

diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml
@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2022/11/16"
+maturity = "production"
+updated_date = "2022/11/16"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
+triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
+"""
+false_positives = [
+    """
+    False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline
+    to determine which detections were triggered on the host.
+    """,
+]
+from = "now-24h"
+interval = "1h"
+index = [".alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
+risk_score = 73
+rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
+severity = "high"
+tags = ["Elastic", "Threat Detection", "Higher-Order Rules"]
+timeline_id = "4434b91a-94ca-4a89-83cb-a37cdc0532b7"
+timeline_title = "Alerts Involving a Single Host Timeline"
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
+'''
+
+[rule.threshold]
+field = ["host.id"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "kibana.alert.rule.threat.tactic.id"
+value = 3