diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ed95b6c46..2d2f06a11 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -99,5 +99,9 @@ "kubernetes.audit.responseStatus.reason": "keyword", "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword", "kubernetes.audit.requestObject.spec.containers.image": "text" + }, + ".alerts-*": { + "signal.rule.name": "keyword", + "kibana.alert.rule.threat.tactic.id": "keyword" } } diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 766457f08..4c66ca483 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -48,7 +48,8 @@ TIMELINE_TEMPLATES: Final[dict] = { '4d4c0b59-ea83-483f-b8c1-8c360ee53c5c': 'Comprehensive File Timeline', 'e70679c2-6cde-4510-9764-4823df18f7db': 'Comprehensive Process Timeline', '300afc76-072d-4261-864d-4149714bf3f1': 'Comprehensive Network Timeline', - '3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline' + '3e47ef71-ebfc-4520-975c-cb27fc090799': 'Comprehensive Registry Timeline', + '4434b91a-94ca-4a89-83cb-a37cdc0532b7': 'Alerts Involving a Single Host Timeline' } diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml new file mode 100644 index 000000000..37689f71c --- /dev/null +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2022/11/16" +maturity = "production" +updated_date = "2022/11/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" + +[rule] +author = ["Elastic"] +description = """ +This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are +triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised. +""" +false_positives = [ + """ + False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline + to determine which detections were triggered on the host. + """, +] +from = "now-24h" +interval = "1h" +index = [".alerts-*"] +language = "kuery" +license = "Elastic License v2" +name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" +risk_score = 73 +rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c" +severity = "high" +tags = ["Elastic", "Threat Detection", "Higher-Order Rules"] +timeline_id = "4434b91a-94ca-4a89-83cb-a37cdc0532b7" +timeline_title = "Alerts Involving a Single Host Timeline" +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* +''' + +[rule.threshold] +field = ["host.id"] +value = 1 + +[[rule.threshold.cardinality]] +field = "kibana.alert.rule.threat.tactic.id" +value = 3