Multiple Alerts in Different ATT&CK Tactics on a Single Host

Last updated 2 months ago on 2025-06-27

Created 3 years ago on 2022-11-16

About

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

Tags: Use Case: Threat DetectionRule Type: Higher-Order RuleLanguage: kuery
Severity: high
Risk Score: 73
False Positive Examples: False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: .alerts-security.*
Related Integrations: (opens in a new tab or window)
Query

signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*

Install detection rules in Elastic Security

Detect Multiple Alerts in Different ATT&CK Tactics on a Single Host in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).