Elastic Defend Alert Followed by Telemetry Loss

  1[metadata]
  2creation_date = "2026/02/10"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint
 11telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate
 12endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious
 13interference with telemetry collection following detection.
 14"""
 15false_positives = ["Misconfiguration, system reboot, network issues or expected uninstall of the Elastic Defend agent."]
 16from = "now-9m"
 17index = ["logs-endpoint.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Elastic Defend Alert Followed by Telemetry Loss"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Elastic Defend Alert Followed by Telemetry Loss
 27
 28This rule identifies situations where an Elastic Defend alert is generated on a host and is not followed by
 29any normal endpoint activity events within a short time window. This may indicate agent tampering, sensor
 30disablement, host shutdown, system crash, or defense evasion behavior.
 31
 32### Possible investigation steps
 33
 34- Review the original `endpoint.alert` event and identify the detection that triggered the alert.
 35- Check the host’s online status, uptime, and reboot history.
 36- Verify the health and status of the Elastic Defend agent and related services.
 37- Look for evidence of agent tampering, service stops, or security control modifications.
 38- Correlate with activity immediately preceding the alert for signs of exploitation or evasion.
 39- Determine if similar alert → silence patterns are occurring on other hosts.
 40
 41### False positive analysis
 42
 43- Legitimate system reboots or shutdowns
 44- Network connectivity loss
 45- Elastic Agent upgrades or restarts
 46- Endpoint service crashes
 47- Maintenance or IT operations
 48
 49### Response and remediation
 50
 51- Validate host and agent availability.
 52- Reconnect or re-enroll the agent if telemetry is missing.
 53- Isolate the host if malicious activity is suspected.
 54- Investigate for security control tampering.
 55- Perform broader environment hunting for similar patterns.
 56"""
 57references = ["https://attack.mitre.org/techniques/T1562/001/"]
 58risk_score = 73
 59rule_id = "fc552f49-8f1c-409b-90f8-6f5b9869b6c4"
 60severity = "high"
 61tags = [
 62    "Domain: Endpoint",
 63    "Data Source: Elastic Defend",
 64    "Use Case: Threat Detection",
 65    "Tactic: Defense Evasion",
 66    "Tactic: Execution",
 67    "Rule Type: Higher-Order Rule",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "eql"
 72
 73query = '''
 74sequence by host.id with maxspan=5m
 75 [any where event.dataset == "endpoint.alerts"]
 76 ![any where event.category in ("process", "library", "registry", "network", "dns")]
 77'''
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81[[rule.threat.technique]]
 82id = "T1562"
 83name = "Impair Defenses"
 84reference = "https://attack.mitre.org/techniques/T1562/"
 85[[rule.threat.technique.subtechnique]]
 86id = "T1562.001"
 87name = "Disable or Modify Tools"
 88reference = "https://attack.mitre.org/techniques/T1562/001/"
 89
 90
 91
 92[rule.threat.tactic]
 93id = "TA0005"
 94name = "Defense Evasion"
 95reference = "https://attack.mitre.org/tactics/TA0005/"
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1204"
102name = "User Execution"
103reference = "https://attack.mitre.org/techniques/T1204/"
104[[rule.threat.technique.subtechnique]]
105id = "T1204.002"
106name = "Malicious File"
107reference = "https://attack.mitre.org/techniques/T1204/002/"
108
109
110
111[rule.threat.tactic]
112id = "TA0002"
113name = "Execution"
114reference = "https://attack.mitre.org/tactics/TA0002/"