[New Rule] Multiple MITRE tactics detected on a host

etc/non-ecs-schema.json

@@ -14,7 +14,7 @@
         "AllowedToDelegateTo": "keyword",
         "AttributeLDAPDisplayName": "keyword",
         "AttributeValue": "keyword",
-        "CallerProcessName": "keyword", 
+        "CallerProcessName": "keyword",
         "CallTrace": "keyword",
         "GrantedAccess": "keyword",
         "ObjectDN": "keyword",
@@ -45,5 +45,9 @@
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"
+  },
+  ".siem-signals-*": {
+    "signal.rule.name": "keyword",
+    "kibana.alert.rule.threat.tactic.name": "keyword"
   }
 }

rules/cross-platform/initial_access_multiple_mitre_tactics.toml

@@ -0,0 +1,34 @@
+[metadata]
+creation_date = "2022/02/03"
+maturity = "production"
+updated_date = "2022/02/03"
+
+[rule]
+author = ["Elastic", "Stijn Holzhauer", "Aaron Jewitt"]
+description = """
+A Threshold rule that looks for unique count of more than 2 different kibana.alert.rule.threat.tactic.name values for a single host.name in the last 24h and generates a critical alert when they are observed. This could be an indicator of an ongoing attack impacting multiple parts of the kill chain.
+"""
+from = "now-24h"
+interval = "1h"
+index = [".siem-signals-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 100
+name = "Multiple MITRE tactics detected for a host"
+risk_score = 99
+rule_id = "cad80d23-7890-4c52-8a73-4db47f63e659"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "macOS"]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+signal.rule.name:* and kibana.alert.rule.threat.tactic.name:*
+'''
+[rule.threshold]
+field = ["host.name"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "kibana.alert.rule.threat.tactic.name"
+value = 3