Samirbous
b39cfc34e6
* [New] First Time Seen Elastic Defend Behavior Alert This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against the previous 7 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule on a single agent, which may indicate early-stage malicious activity or initial execution of suspicious behavior : * Update first_time_seen_elastic_defend_alert.toml * ++ * Update first_time_seen_elastic_defend_alert.toml * ++ * Update fist_time_seen_elastic_detection_rule.toml * Update fist_time_seen_elastic_detection_rule.toml * Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update fist_time_seen_elastic_detection_rule.toml * Update first_time_seen_elastic_defend_alert.toml * Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update first_time_seen_elastic_defend_alert.toml * Update and rename fist_time_seen_elastic_detection_rule.toml to newly_observed_elastic_detection_rule.toml * Rename first_time_seen_elastic_defend_alert.toml to newly_observed_elastic_defend_alert.toml * Update newly_observed_elastic_defend_alert.toml * Update newly_observed_elastic_detection_rule.toml * Update newly_observed_elastic_defend_alert.toml * Update newly_observed_elastic_detection_rule.toml * Update newly_observed_elastic_defend_alert.toml * Update newly_observed_elastic_detection_rule.toml * Update newly_observed_elastic_detection_rule.toml --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
85 lines
4.3 KiB
TOML
85 lines
4.3 KiB
TOML
[metadata]
|
|
creation_date = "2026/01/07"
|
|
maturity = "production"
|
|
updated_date = "2026/01/07"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
This rule detects Elastic SIEM high severity detection alerts that are observed for the first time in the previous 5 days
|
|
of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use this
|
|
to prioritize triage and response.
|
|
"""
|
|
from = "now-7205m"
|
|
interval = "5m"
|
|
language = "esql"
|
|
license = "Elastic License v2"
|
|
name = "Newly Observed High Severity Detection Alert"
|
|
risk_score = 73
|
|
rule_id = "1a3d5b36-b995-4ace-9b85-8a0af429ccf6"
|
|
severity = "high"
|
|
tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"]
|
|
timestamp_override = "event.ingested"
|
|
type = "esql"
|
|
|
|
query = '''
|
|
FROM .alerts-security.*
|
|
| where kibana.alert.rule.name is not null and kibana.alert.risk_score >= 73 and
|
|
not kibana.alert.rule.type in ("threat_match", "machine_learning", "new_terms") and
|
|
not kibana.alert.rule.name like "Deprecated - *" and kibana.alert.rule.name != "My First Rule" and
|
|
// covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8
|
|
event.dataset != "endpoint.alerts"
|
|
| STATS Esql.alerts_count = count(*),
|
|
Esql.first_time_seen = MIN(@timestamp),
|
|
Esql.last_time_seen = MAX(@timestamp),
|
|
Esql.process_executable = VALUES(process.executable),
|
|
Esql.cmd_line = VALUES(process.command_line),
|
|
Esql.parent_executable = VALUES(process.parent.executable),
|
|
Esql.file_path_values = VALUES(file.path),
|
|
Esql.file_path_values = VALUES(file.path),
|
|
Esql.dll_path_values = VALUES(dll.path),
|
|
Esql.user_id_values = VALUES(user.id),
|
|
Esql.user_name_values = VALUES(user.name),
|
|
Esql.agent_id_values = VALUES(agent.id),
|
|
Esql.host_id_values = VALUES(host.id),
|
|
Esql.event_module_values = VALUES(event.module),
|
|
Esql.source_ip_values = VALUES(source.ip),
|
|
Esql.agents_distinct_count = COUNT_DISTINCT(agent.id) by kibana.alert.rule.name
|
|
// fist time seen in the last 5 days - defined in the rule schedule Additional look-back time
|
|
| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
|
|
// first time seen is within 10m of the rule execution time
|
|
| where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)
|
|
| keep kibana.alert.rule.name, Esql.*
|
|
'''
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Newly Observed High Severity Detection Alert
|
|
|
|
This rule surfaces newly observed, low-frequency behavior high severity alerts affecting a single agent within the current day.
|
|
|
|
Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
|
|
whether it represents a true compromise or rare benign activity.
|
|
|
|
### Investigation Steps
|
|
|
|
- Identify the affected host, user and review the associated rule name to understand the behavior that triggered the alert.
|
|
- Validate the user context under which the activity occurred and assess whether it aligns with normal behavior for that account.
|
|
- Refer to the specific rule investiguation guide for further actions.
|
|
|
|
### False Positive Considerations
|
|
|
|
- Newly deployed or updated software may introduce behavior not previously observed on the host.
|
|
- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.
|
|
- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.
|
|
- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
|
|
|
|
### Response and Remediation
|
|
|
|
- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
|
|
- Terminate malicious processes and remove any dropped files or persistence mechanisms.
|
|
- Collect forensic artifacts to understand initial access and execution flow.
|
|
- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
|
|
- If benign, document the finding and consider tuning or exception handling to reduce future noise.
|
|
- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
|
|
references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"]
|