[New] Alerts in Different ATT&CK Tactics by Host (#5343)
* [New] Alerts in Different ATT&CK Tactics by Host Using ES|QL and alerts risk score to identify top risky hosts based on presence of multiple alert touching at least 4 unique tactics in a 24h time Window. * Update multiple_alerts_risky_host_esql.toml * Update multiple_alerts_risky_host_esql.toml * Update multiple_alerts_risky_host_esql.toml * Update multiple_alerts_risky_host_esql.toml * Update multiple_alerts_risky_host_esql.toml * Update non-ecs-schema.json * ++ * Update multiple_alerts_edr_elastic_defend_by_host.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Samirbous
@@ -145,7 +145,10 @@
|
||||
"kibana.alert.rule.threat.tactic.id": "keyword",
|
||||
"kibana.alert.workflow_status": "keyword",
|
||||
"kibana.alert.rule.rule_id": "keyword",
|
||||
"kibana.alert.rule.name": "keyword"
|
||||
"kibana.alert.rule.name": "keyword",
|
||||
"kibana.alert.risk_score": "long",
|
||||
"kibana.alert.rule.type": "keyword",
|
||||
"kibana.alert.rule.threat.tactic.name": "keyword"
|
||||
},
|
||||
"logs-google_workspace*": {
|
||||
"gsuite.admin": "keyword",
|
||||
|
||||
Reference in New Issue
Block a user