Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Multiple MITRE tactics detected on a host #1755

Closed
wants to merge 3 commits into from
Closed

[New Rule] Multiple MITRE tactics detected on a host #1755

wants to merge 3 commits into from

Conversation

SHolzhauer
Copy link
Contributor

Issues

#1597

Summary

Based on the issue by Aarju

A Threshold rule that looks for unique count of more than 2 different kibana.alert.rule.threat.tactic.name values for a single host.name in the last 24h and generates a critical alert when they are observed. This could be an indicator of an ongoing attack impacting multiple parts of the kill chain.

Contributor checklist

@spong spong mentioned this pull request Feb 4, 2022
Open
@brokensound77
Copy link
Contributor

brokensound77 commented Feb 4, 2022
edited
Loading

Thanks for this PR @SHolzhauer. After chatting with the rest of the team, there are some considerations we still need to take into account to ensure that any alert built on existing alerts acts as expected (space awareness, permissions, aliasing, etc.). You can reference the kibana issue elastic/kibana/issues/124756.

In the mean time I am going to drop this to a draft PR and add the blocked label.

@brokensound77 brokensound77 marked this pull request as draft February 4, 2022 21:34
@brokensound77 brokensound77 added the Rule: New Proposal for new rule label Feb 11, 2022
@botelastic
Copy link

botelastic bot commented Apr 12, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Apr 12, 2022
@w0rk3r w0rk3r removed the stale 60 days of inactivity label Apr 12, 2022
@botelastic
Copy link

botelastic bot commented Jun 11, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Jun 11, 2022
@botelastic
Copy link

botelastic bot commented Jun 18, 2022

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this Jun 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees
No one assigned
Labels
backport: auto blocked Rule: New Proposal for new rule stale 60 days of inactivity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SHolzhauer @brokensound77 @w0rk3r