security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Multiple Alerts Involving a User (#2401)

Browse Source 
* [New Rule] Multiple Alerts Involving a User

* Update definitions.py

* update query

* Update multiple_alerts_involving_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-01-03 07:25:40 -08:00
committed by GitHub
parent be884a1cf3
commit 0acbe1d832
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/schemas/definitions.py
+1
View File
@@ -49,6 +49,7 @@ TIMELINE_TEMPLATES: Final[dict] = {
'e70679c2-6cde-4510-9764-4823df18f7db': 'Comprehensive Process Timeline',
'300afc76-072d-4261-864d-4149714bf3f1': 'Comprehensive Network Timeline',
'3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline',
'3e827bab-838a-469f-bd1e-5e19a2bff2fd': 'Alerts Involving a Single User Timeline',
'4434b91a-94ca-4a89-83cb-a37cdc0532b7': 'Alerts Involving a Single Host Timeline'
}
rules/cross-platform/multiple_alerts_involving_user.toml
+47
View File
@@ -0,0 +1,47 @@
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2023/01/03"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
description = """
This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts
can use this to prioritize triage and response, as these users are more likely to be compromised.
"""
false_positives = [
"""
False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread
used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability
to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business
activity, or an upcoming incident.
""",
]
from = "now-24h"
interval = "1h"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Multiple Alerts Involving a User"
risk_score = 73
rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
severity = "high"
tags = ["Elastic", "Threat Detection", "Higher-Order Rules"]
timeline_id = "3e827bab-838a-469f-bd1e-5e19a2bff2fd"
timeline_title = "Alerts Involving a Single User Timeline"
timestamp_override = "event.ingested"
type = "threshold"
query = '''
signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
'''
[rule.threshold]
field = ["user.name"]
value = 1
[[rule.threshold.cardinality]]
field = "signal.rule.rule_id"
value = 5