Elastic Defend Alert from GenAI Utility or Descendant

  1[metadata]
  2creation_date = "2026/02/27"
  3maturity = "production"
  4min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3."
  5min_stack_version = "9.3.0"
  6updated_date = "2026/02/27"
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process or its
 12direct parent is a GenAI coding or assistant utility (e.g. Cursor, Claude, Windsurf, Cody, Continue, Aider, OpenClaw,
 13Moltbot, Clawdbot, Codeium, Tabnine, GitHub Copilot). Activity from these tools can indicate prompt injection,
 14malicious skills, or supply-chain abuse; this Higher-Order rule helps prioritize such alerts for triage.
 15"""
 16from = "now-9m"
 17interval = "5m"
 18language = "esql"
 19license = "Elastic License v2"
 20name = "Elastic Defend Alert from GenAI Utility or Descendant"
 21note = """## Triage and analysis
 22
 23### Investigating Elastic Defend Alert from GenAI Utility or Descendant
 24
 25Elastic Defend has raised an alert on a process that is either a GenAI coding/assistant application or a direct child of one. This can indicate prompt injection, malicious extension/skill execution, or abuse of AI-assisted development tools (e.g. fake VS Code extensions, malicious ClawHub skills).
 26
 27### Possible investigation steps
 28
 29- Identify the GenAI utility by looking for a process with an entity_id in Esql.genai_ancestor_ids
 30- Review the alert rule name and message to understand what behavior was detected (e.g. script execution, network, file write).
 31- Inspect process_command_line and parent command lines for download-and-execute, encoded commands, or suspicious arguments.
 32- Correlate with the same host and user for other alerts or with network/DNS for C2 or exfiltration.
 33- If the tool is Cursor/VS Code: check for recently installed extensions.
 34- If OpenClaw/Moltbot/Clawdbot: review installed skills and conversation history for prompt injection or malicious skill execution.
 35
 36### False positive analysis
 37
 38- Legitimate use of GenAI tools (e.g. running builds, package installs, or approved scripts) can trigger behavior rules. Tune by excluding known-safe rule names or process command-line patterns, or limit to higher-severity alerts.
 39- Approved automation or CI that runs under a GenAI-related process may need to be allowlisted.
 40
 41### Response and remediation
 42
 43- If abuse is confirmed: disable or restrict the GenAI tool, remove malicious extensions/skills, rotate any exposed API keys or credentials, and block IOCs at network/EDR level.
 44"""
 45references = [
 46    "https://attack.mitre.org/techniques/T1059/",
 47    "https://attack.mitre.org/techniques/T1195/002/",
 48]
 49risk_score = 99
 50rule_id = "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a"
 51severity = "critical"
 52tags = [
 53    "Domain: Endpoint",
 54    "Domain: LLM",
 55    "Use Case: Threat Detection",
 56	"Tactic: Initial Access",
 57    "Rule Type: Higher-Order Rule",
 58    "Resources: Investigation Guide",
 59    "Data Source: Elastic Defend",
 60]
 61timestamp_override = "event.ingested"
 62type = "esql"
 63
 64query = '''
 65FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _version, _index 
 66| EVAL is_genai_spawn =  TO_LOWER(process.parent.name) IN (
 67        "claude", "claude.exe", "cursor", "cursor.exe", "cursor helper", "cursor helper (plugin)",
 68        "codex", "codex.exe", "cody", "cody.exe", "copilot", "copilot.exe", "gemini-cli", "gemini-cli.exe",
 69        "openai", "openai.exe", "ollama", "ollama.exe", "llm", "llm.exe",
 70        "aider", "aider.exe", "cline", "cline.exe", "continue", "continue.exe",
 71        "zed", "zed.exe", "windsurf", "windsurf.exe",
 72        "tabnine", "tabnine.exe", "codeium", "codeium.exe", "bolt", "bolt.exe",
 73        "devin", "devin.exe", "replit", "replit.exe", "ghostwriter", "ghostwriter.exe", "bito", "bito.exe"
 74    ),
 75     is_openclaw_spawn = process.parent.name in ("node", "node.exe") and (process.parent.command_line like "*openclaw*" or process.parent.command_line like "*moltbot*" or process.parent.command_line like "*clawdbot*")
 76| WHERE process.Ext.ancestry IS NOT NULL and 
 77   (event.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn)
 78// Identify GenAI tool spawn events and capture their entity_ids
 79| EVAL genai_entity_id = CASE(is_genai_spawn or is_openclaw_spawn, process.parent.entity_id, NULL)
 80
 81// Collect ALL GenAI entity_ids globally across the dataset
 82| INLINE STATS 
 83    all_genai_entity_ids = VALUES(genai_entity_id) WHERE genai_entity_id IS NOT NULL
 84// Find which GenAI entity_ids appear in this process's ancestry
 85| EVAL Esql.genai_ancestor_ids = MV_INTERSECTION(all_genai_entity_ids, process.Ext.ancestry)
 86
 87// Elastic Defend alerts from a GenAI grandparent 
 88| WHERE Esql.genai_ancestor_ids IS NOT NULL 
 89        AND event.dataset == "endpoint.alerts" AND not rule.name in (
 90            "Persistence via GenAI Tool",
 91            "Code Editor Untrusted or Unsigned Child Process Execution",
 92            "Suspicious Credential Access via GenAI Tool",
 93            "Credential Access via GenAI Tool Descendant"
 94        )
 95
 96| KEEP *
 97'''
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1195"
103name = "Supply Chain Compromise"
104reference = "https://attack.mitre.org/techniques/T1195/"
105[[rule.threat.technique.subtechnique]]
106id = "T1195.002"
107name = "Compromise Software Supply Chain"
108reference = "https://attack.mitre.org/techniques/T1195/002/"
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"