diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index 801686f9027..cf5871c3a1b 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -14,7 +14,7 @@ "AllowedToDelegateTo": "keyword", "AttributeLDAPDisplayName": "keyword", "AttributeValue": "keyword", - "CallerProcessName": "keyword", + "CallerProcessName": "keyword", "CallTrace": "keyword", "GrantedAccess": "keyword", "ObjectDN": "keyword", @@ -45,5 +45,9 @@ }, "logs-windows.*": { "powershell.file.script_block_text": "text" + }, + ".siem-signals-*": { + "signal.rule.name": "keyword", + "kibana.alert.rule.threat.tactic.name": "keyword" } } diff --git a/rules/cross-platform/initial_access_multiple_mitre_tactics.toml b/rules/cross-platform/initial_access_multiple_mitre_tactics.toml new file mode 100644 index 00000000000..91aa80ce32e --- /dev/null +++ b/rules/cross-platform/initial_access_multiple_mitre_tactics.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2022/02/03" +maturity = "production" +updated_date = "2022/02/03" + +[rule] +author = ["Elastic", "Stijn Holzhauer", "Aaron Jewitt"] +description = """ +A Threshold rule that looks for unique count of more than 2 different kibana.alert.rule.threat.tactic.name values for a single host.name in the last 24h and generates a critical alert when they are observed. This could be an indicator of an ongoing attack impacting multiple parts of the kill chain. +""" +from = "now-24h" +interval = "1h" +index = [".siem-signals-*"] +language = "kuery" +license = "Elastic License v2" +max_signals = 100 +name = "Multiple MITRE tactics detected for a host" +risk_score = 99 +rule_id = "cad80d23-7890-4c52-8a73-4db47f63e659" +severity = "high" +tags = ["Elastic", "Host", "Linux", "macOS"] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.name:* and kibana.alert.rule.threat.tactic.name:* +''' +[rule.threshold] +field = ["host.name"] +value = 1 + +[[rule.threshold.cardinality]] +field = "kibana.alert.rule.threat.tactic.name" +value = 3