[New Rule] Threshold rule to detect multiple different Mitre Tactics on the same host in the last 24h #1597
Comments
|
A challenge I've run into with this is that several detection rules have 2 different Mitre ATT&CK tactics causing false positives |
|
Within our environment this has worked pretty well. I increased the |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
We've been running this detection rule on our production servers over the last few months and it has worked out really well. |
|
Thanks for letting us know @aarju, I'll work in a PR for this in the next few days |
|
Came across this so created a PR for it; I left MITRE mapping out of this one as it triggers on others, which felt duplicate. |
|
Thanks for submitting the PR @SHolzhauer, the logic in that PR looks good to me. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment. |
Description
A Threshold rule that looks for unique count of more than 2 different
kibana.alert.rule.threat.tactic.namevalues for a single host.name in the last 24h and generates a critical alert when they are observed. This could be an indicator of an ongoing attack impacting multiple parts of the kill chain.This is an example rule I created on my cluster
Required Info
Target indexes
.siem-signals-*Additional requirements
Detection rules need to be configured with
kibana.alert.rule.threat.tactic.nameas much as possible.The text was updated successfully, but these errors were encountered: