Multiple Alerts in Different ATT&CK Tactics on a Single Hostedit

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

Rule type: threshold

Rule indices:

  • .alerts-security.*

Severity: high

Risk score: 73

Runs every: 1h

Searches indices from: now-24h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None


  • Use Case: Threat Detection
  • Rule Type: Higher-Order Rule

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit* and*