From edf28367e4dfaeedda024d90e78a39aa5ef9bf50 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:21:27 +0000 Subject: [PATCH] [New] Lateral Movement Alerts from a Newly Observed Entity (#5557) * [New] Lateral Movement Alerts from a Newly Observed Entity High-order rules to prioritize lateral movement alerts triage (detects multiple lateral movement alerts from a source.ip or user.id that was observed for the first time in the previous 5 days). * Update lateral_movement_multi_alerts_new_userid.toml * Update lateral_movement_multi_alerts_new_srcip.toml * Update lateral_movement_multi_alerts_new_userid.toml * Update lateral_movement_multi_alerts_new_userid.toml * Update lateral_movement_multi_alerts_new_userid.toml * Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml Co-authored-by: Mika Ayenson, PhD * Apply suggestion from @Mikaayenson Co-authored-by: Mika Ayenson, PhD * Update lateral_movement_multi_alerts_new_userid.toml * Update lateral_movement_multi_alerts_new_srcip.toml * Update lateral_movement_multi_alerts_new_userid.toml * Update lateral_movement_multi_alerts_new_userid.toml --------- Co-authored-by: Mika Ayenson, PhD --- ...teral_movement_multi_alerts_new_srcip.toml | 93 +++++++++++++++++++ ...eral_movement_multi_alerts_new_userid.toml | 88 ++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml create mode 100644 rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml diff --git a/rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml b/rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml new file mode 100644 index 000000000..948b7c908 --- /dev/null +++ b/rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml @@ -0,0 +1,93 @@ +[metadata] +creation_date = "2026/01/14" +maturity = "production" +updated_date = "2026/01/14" + +[rule] +author = ["Elastic"] +description = """ +This rule detects source IPs that triggered their first lateral movement alert within the last 10 minutes (i.e., newly observed), while also triggering at least 2 distinct lateral movement detection rules. This surfaces new potentially malicious IPs exhibiting immediate lateral movement behavior. +""" +from = "now-7200m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Lateral Movement Alerts from a Newly Observed Source Address" +risk_score = 73 +rule_id = "0e67f4f1-f683-43c0-8d45-c3293cf31e5d" +severity = "high" +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM .alerts-security.* METADATA _index + +// Lateral Movement related rules with fields of interest +| where kibana.alert.rule.threat.tactic.name is not null and + source.ip IS NOT NULL and destination.ip is not null and + host.id is not null and KQL("""kibana.alert.rule.threat.tactic.name : "Lateral Movement" """) + +// aggregate stats by source.ip +| stats Esql.first_time_seen = MIN(@timestamp), + Esql.alerts_count = count(*), + Esql.unique_rules_count = COUNT_DISTINCT(kibana.alert.rule.name), + Esql.unique_count_host_id = COUNT_DISTINCT(host.id), + Esql.rule_name_values = VALUES(kibana.alert.rule.name), + Esql.user_name_values = VALUES(user.name), + Esql.host_id_values = VALUES(host.id), + Esql.host_ip_values = VALUES(host.ip), + Esql.tactic_name_values = VALUES(kibana.alert.rule.threat.tactic.name) by source.ip + +// values we will need for next filter +| eval isLocal = locate(MV_CONCAT(to_string(Esql.host_ip_values), ","), to_string(source.ip)), + Esql.date_diff = DATE_DIFF("minute", Esql.first_time_seen, now()) + +// at least 2 unique rules from same source.ip and that was first seen in last 5 days +| where Esql.unique_rules_count >= 2 and + // matches are within 10m of the rule execution time to avoid alert duplicates + Esql.date_diff <= 10 and + // make sure source.ip is not equal to host.ip + not isLocal > 0 and + // reduce noise from SCCM, Nessus and alike + Esql.unique_count_host_id <= 3 and Esql.alerts_count <= 20 +| eval host.id = MV_FIRST(Esql.host_id_values), user.name = MV_FIRST(Esql.user_name_values) +| KEEP Esql.*, source.ip, host.id, user.name +''' +note = """## Triage and analysis + +### Investigating Lateral Movement Alerts from a Newly Observed Source Address + +This rule surfaces newly observed, low-frequency source address triggering multiple lateral movement alerts. + +Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine +whether it represents a true compromise or rare benign activity. + +### Investigation Steps + +- Identify the source address, affected host, user and review the associated rule name to understand the behavior that triggered the alert. +- Validate the source address and user context under which the activity occurred and assess whether it aligns with normal behavior for that address. +- Refer to the specific rule investigation guide for further actions. + +### False Positive Considerations + +- Administrative scripts or automation tools can trigger behavior-based detections when first introduced. +- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes. +- Development or testing environments may produce one-off behaviors that resemble malicious techniques. + +### Response and Remediation + +- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement. +- Terminate malicious processes and remove any dropped files or persistence mechanisms. +- Collect forensic artifacts to understand initial access and execution flow. +- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior. +- If benign, document the finding and consider tuning or exception handling to reduce future noise. +- Continue monitoring the host and environment for recurrence of the behavior or related alerts.""" +references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"] + +[[rule.threat]] +framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml b/rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml new file mode 100644 index 000000000..1d0b3e81c --- /dev/null +++ b/rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml @@ -0,0 +1,88 @@ +[metadata] +creation_date = "2026/01/14" +maturity = "production" +updated_date = "2026/01/14" + +[rule] +author = ["Elastic"] +description = """ +This rule detects multiple lateral movement alerts from a user that was observed for the first time in the previous 5 days +of alerts history. Analysts can use this high-order detection to prioritize triage and response. +""" +from = "now-7200m" +interval = "9m" +language = "esql" +license = "Elastic License v2" +name = "Lateral Movement Alerts from a Newly Observed User" +risk_score = 73 +rule_id = "e819b7eb-c2d4-4adc-b0c9-658aeb140450" +severity = "high" +tags = ["OS: Windows", "Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM .alerts-security.* METADATA _index + +// Lateral Movement related rules +| where kibana.alert.rule.threat.tactic.name is not null and user.id is not null and + (to_string(user.id) like "S-1-5-21*" or to_string(user.id) like "S-1-12-*") and + host.id is not null and KQL("""kibana.alert.rule.threat.tactic.name : "Lateral Movement" """) + +// aggregate stats by user.id +| stats Esql.first_time_seen = MIN(@timestamp), + Esql.alerts_count = count(*), + Esql.unique_rules_count = COUNT_DISTINCT(kibana.alert.rule.name), + Esql.unique_count_host_id = COUNT_DISTINCT(host.id), + Esql.rule_name_values = VALUES(kibana.alert.rule.name), + Esql.host_id_values = VALUES(host.id), + Esql.host_ip_values = VALUES(host.ip), + Esql.source_ip_values = VALUES(source.ip), + Esql.process_cmd_line = VALUES(process.command_line), + Esql.tactic_name_values = VALUES(kibana.alert.rule.threat.tactic.name) by user.id, user.name + +// at least 2 unique lateral movement detection rules from same user.id and that was first seen in last 5 days +| eval Esql.date_diff = DATE_DIFF("minute", Esql.first_time_seen, now()) +| where Esql.unique_rules_count >= 2 and + // matches are within 10m of the rule execution time to avoid alert duplicates + Esql.date_diff <= 10 +| eval source.ip = MV_FIRST(Esql.source_ip_values), host.id = MV_FIRST(Esql.host_id_values) +| KEEP Esql.*, user.id, user.name, host.id, source.ip +''' +note = """## Triage and analysis + +### Investigating Lateral Movement Alerts from a Newly Observed User + +This rule surfaces newly observed, low-frequency source user triggering multiple lateral movement alerts. + +Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine +whether it represents a true compromise or rare benign activity. + +### Investigation Steps + +- Identify the source user, affected hosts and review the associated rule name to understand the behavior that triggered the alert. +- Validate the source address and user context under which the activity occurred and assess whether it aligns with normal behavior for that address. +- Refer to the specific rule investigation guide for further actions. + +### False Positive Considerations + +- Administrative scripts or automation tools can trigger behavior-based detections when first introduced. +- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes. +- Development or testing environments may produce one-off behaviors that resemble malicious techniques. + +### Response and Remediation + +- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement. +- Terminate malicious processes and remove any dropped files or persistence mechanisms. +- Collect forensic artifacts to understand initial access and execution flow. +- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior. +- If benign, document the finding and consider tuning or exception handling to reduce future noise. +- Continue monitoring the host and environment for recurrence of the behavior or related alerts.""" +references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"] + +[[rule.threat]] +framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"