Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host #2399

Merged
merged 4 commits into from
Nov 18, 2022
Merged

[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host #2399

merged 4 commits into from
Nov 18, 2022

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Nov 16, 2022

Issues

Resolves #1597

Summary

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

@w0rk3r w0rk3r added Rule: New Proposal for new rule Domain: Endpoint labels Nov 16, 2022
@w0rk3r w0rk3r self-assigned this Nov 16, 2022
@botelastic botelastic bot added python Internal python for the repository schema labels Nov 16, 2022
@w0rk3r @brokensound77
Update rules/cross-platform/multiple_alerts_different_tactics_host.toml
36d9740 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
brokensound77
brokensound77 approved these changes Nov 16, 2022
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but we should wait until the timeline template is merged

@w0rk3r w0rk3r merged commit a7caa4b into main Nov 18, 2022
@w0rk3r w0rk3r deleted the tactics_threshold branch November 18, 2022 20:38
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
afc8823 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
aafb57c 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
b93fedd 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
ca09eaa 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
2394afa 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
8253187 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
protectionsmachine pushed a commit that referenced this pull request Nov 18, 2022
@w0rk3r @github-actions
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Ho…
8641dab 
…st (#2399)

* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a7caa4b)
@terrancedejesus terrancedejesus mentioned this pull request Jan 11, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@brokensound77 brokensound77 brokensound77 approved these changes

@approksiu approksiu Awaiting requested review from approksiu

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus terrancedejesus is a code owner

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint python Internal python for the repository Rule: New Proposal for new rule schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Rule] Threshold rule to detect multiple different Mitre Tactics on the same host in the last 24h
3 participants
@w0rk3r @brokensound77 @Samirbous