Performs systematic alert triage in Elastic Security SIEM: assess severity, gather context via ES|QL queries, enrich with threat intel, classify, prioritize, and document for SOC operations.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Elastic Security 中的告警分诊(Alert Triage)是对安全告警进行审查、分类和优先排序的系统化流程,旨在判断哪些告警代表真实威胁。Elastic 的 AI 驱动攻击发现(Attack Discovery)功能可将数百个告警归并为离散的攻击链,但熟练分析师的人工分诊仍不可或缺。使用 Elastic 内置工具,结构化分诊工作流通常每个告警簇耗时 5-10 分钟。
Guides systematic alert triage in Elastic Security SIEM: assess severity/risk, gather context via Kibana/ES|QL queries, classify/prioritize threats for SOC.
Performs systematic alert triage in Elastic Security SIEM using Kibana panels, ES|QL queries, and ECS fields to classify, prioritize, and investigate SOC alerts.
Triages Elastic Security alerts: fetches next alert, runs context queries, classifies threats, creates cases, and acknowledges. For SOC analysis and detections.
Share bugs, ideas, or general feedback.
Elastic Security 中的告警分诊(Alert Triage)是对安全告警进行审查、分类和优先排序的系统化流程,旨在判断哪些告警代表真实威胁。Elastic 的 AI 驱动攻击发现(Attack Discovery)功能可将数百个告警归并为离散的攻击链,但熟练分析师的人工分诊仍不可或缺。使用 Elastic 内置工具,结构化分诊工作流通常每个告警簇耗时 5-10 分钟。
在 Elastic Security 中查看告警时,检查告警详情面板:
告警详情面板:
- Rule Name and Description
- Severity and Risk Score
- MITRE ATT&CK Mapping
- Host and User Context
- Process Tree (for endpoint alerts)
- Timeline of related events
| 字段 | 用途 | ECS 字段 |
|---|---|---|
| 规则严重性 | 初步优先级评估 | kibana.alert.severity |
| 风险评分 | 量化威胁级别 | kibana.alert.risk_score |
| 主机名 | 受影响系统 | host.name |
| 用户名 | 受影响身份 | user.name |
| 进程名 | 执行进程 | process.name |
| 源 IP | 活动来源 | source.ip |
| 目标 IP | 活动目标 | destination.ip |
| MITRE 战术 | 攻击阶段 | threat.tactic.name |
FROM logs-endpoint.events.*
| WHERE host.name == "affected-host" AND @timestamp > NOW() - 1 HOUR
| STATS count = COUNT(*) BY event.category, event.action
| SORT count DESC
FROM logs-*
| WHERE user.name == "suspicious-user" AND @timestamp > NOW() - 24 HOURS
| STATS count = COUNT(*), unique_hosts = COUNT_DISTINCT(host.name) BY event.category
| SORT count DESC
FROM .alerts-security.alerts-default
| WHERE source.ip == "10.0.0.50" AND @timestamp > NOW() - 24 HOURS
| STATS alert_count = COUNT(*) BY kibana.alert.rule.name, kibana.alert.severity
| SORT alert_count DESC
FROM logs-system.auth-*
| WHERE source.ip == "10.0.0.50" AND event.outcome == "success"
| STATS login_count = COUNT(*), hosts = COUNT_DISTINCT(host.name) BY user.name
| WHERE hosts > 3
对照威胁情报检查指标:
FROM logs-ti_*
| WHERE threat.indicator.ip == "203.0.113.50"
| KEEP threat.indicator.type, threat.indicator.provider, threat.indicator.confidence, threat.feed.name
FROM logs-endpoint.events.file-*
| WHERE file.hash.sha256 == "abc123..."
| STATS occurrences = COUNT(*) BY host.name, file.path, user.name
| 分类 | 判断标准 | 处理措施 |
|---|---|---|
| 真阳性(True Positive) | 已确认的恶意活动 | 升级为事件,开始遏制 |
| 良性真阳性(Benign True Positive) | 符合规则的预期行为 | 在告警备注中记录,确认关闭 |
| 假阳性(False Positive) | 规则对良性活动触发 | 标记为假阳性,创建调优任务 |
| 待调查(Needs Investigation) | 数据不足以做出判断 | 指派进行深入调查 |
对每个分诊后的告警,记录:
Elastic Security 包含 1000+ 条预置检测规则,按以下维度组织:
{
"name": "Multiple Failed Logins Followed by Success",
"type": "threshold",
"query": "event.category:authentication AND event.outcome:failure",
"threshold": {
"field": ["source.ip", "user.name"],
"value": 5,
"cardinality": [
{
"field": "user.name",
"value": 3
}
]
},
"severity": "high",
"risk_score": 73,
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access"
},
"technique": [
{
"id": "T1110",
"name": "Brute Force"
}
]
}
]
}
Elastic 的 Attack Discovery 自动执行以下操作:
| 风险评分 | 严重性 | 资产关键性 | 响应 SLA |
|---|---|---|---|
| 90-100 | 严重 | 高 | 15 分钟 |
| 70-89 | 高 | 高 | 30 分钟 |
| 70-89 | 高 | 中 | 1 小时 |
| 50-69 | 中 | 任意 | 4 小时 |
| 21-49 | 低 | 任意 | 8 小时 |
| 1-20 | 信息 | 任意 | 24 小时 |
| 指标 | 目标值 | 计量方式 |
|---|---|---|
| 平均分诊时间(MTTT) | < 10 分钟 | 从告警创建到分类完成的时间 |
| 假阳性率 | < 30% | 假阳性数 / 告警总数 |
| 升级率 | 10-20% | 已升级告警数 / 告警总数 |
| 告警覆盖率 | > 80% | 已分诊告警数 / 每班产生告警数 |
| 重新分类率 | < 5% | 变更分类数 / 已分类总数 |