diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 20c8d67ac..fb4bb0c86 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -49,6 +49,7 @@ TIMELINE_TEMPLATES: Final[dict] = { 'e70679c2-6cde-4510-9764-4823df18f7db': 'Comprehensive Process Timeline', '300afc76-072d-4261-864d-4149714bf3f1': 'Comprehensive Network Timeline', '3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline', + '3e827bab-838a-469f-bd1e-5e19a2bff2fd': 'Alerts Involving a Single User Timeline', '4434b91a-94ca-4a89-83cb-a37cdc0532b7': 'Alerts Involving a Single Host Timeline' } diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml new file mode 100644 index 000000000..5e440d49d --- /dev/null +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2022/11/16" +maturity = "production" +updated_date = "2023/01/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" + +[rule] +author = ["Elastic"] +description = """ +This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts +can use this to prioritize triage and response, as these users are more likely to be compromised. +""" +false_positives = [ + """ + False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread + used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability + to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business + activity, or an upcoming incident. + """, +] +from = "now-24h" +interval = "1h" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Multiple Alerts Involving a User" +risk_score = 73 +rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7" +severity = "high" +tags = ["Elastic", "Threat Detection", "Higher-Order Rules"] +timeline_id = "3e827bab-838a-469f-bd1e-5e19a2bff2fd" +timeline_title = "Alerts Involving a Single User Timeline" +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") +''' + +[rule.threshold] +field = ["user.name"] +value = 1 + +[[rule.threshold.cardinality]] +field = "signal.rule.rule_id" +value = 5