Lateral Movement Alerts from a Newly Observed Source Address

 1[metadata]
 2creation_date = "2026/01/14"
 3maturity = "production"
 4updated_date = "2026/01/14"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule detects source IPs that triggered their first lateral movement alert within the last 10 minutes (i.e., newly observed), while also triggering at least 2 distinct lateral movement detection rules. This surfaces new potentially malicious IPs exhibiting immediate lateral movement behavior.
10"""
11from = "now-7200m"
12interval = "10m"
13language = "esql"
14license = "Elastic License v2"
15name = "Lateral Movement Alerts from a Newly Observed Source Address"
16risk_score = 73
17rule_id = "0e67f4f1-f683-43c0-8d45-c3293cf31e5d"
18severity = "high"
19tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
20timestamp_override = "event.ingested"
21type = "esql"
22
23query = '''
24FROM .alerts-security.* METADATA _index
25
26// Lateral Movement related rules with fields of interest
27| where kibana.alert.rule.threat.tactic.name is not null and
28        source.ip IS NOT NULL and destination.ip is not null and
29        host.id is not null and KQL("""kibana.alert.rule.threat.tactic.name : "Lateral Movement" """)
30
31// aggregate stats by source.ip
32| stats  Esql.first_time_seen = MIN(@timestamp),
33         Esql.alerts_count = count(*),
34         Esql.unique_rules_count = COUNT_DISTINCT(kibana.alert.rule.name),
35         Esql.unique_count_host_id = COUNT_DISTINCT(host.id),
36         Esql.rule_name_values = VALUES(kibana.alert.rule.name),
37         Esql.user_name_values = VALUES(user.name),
38         Esql.host_id_values = VALUES(host.id),
39         Esql.host_ip_values = VALUES(host.ip),
40         Esql.tactic_name_values = VALUES(kibana.alert.rule.threat.tactic.name) by source.ip
41
42// values we will need for next filter
43| eval isLocal = locate(MV_CONCAT(to_string(Esql.host_ip_values), ","), to_string(source.ip)),
44       Esql.date_diff = DATE_DIFF("minute", Esql.first_time_seen, now())
45
46// at least 2 unique rules from same source.ip and that was first seen in last 5 days
47| where Esql.unique_rules_count >= 2 and
48        // matches are within 10m of the rule execution time to avoid alert duplicates
49        Esql.date_diff <= 10 and
50        // make sure source.ip is not equal to host.ip
51        not isLocal > 0 and
52        // reduce noise from SCCM, Nessus and alike
53        Esql.unique_count_host_id <= 3 and Esql.alerts_count <= 20
54| eval host.id = MV_FIRST(Esql.host_id_values), user.name = MV_FIRST(Esql.user_name_values)
55| KEEP Esql.*, source.ip, host.id, user.name
56'''
57note = """## Triage and analysis
58
59### Investigating Lateral Movement Alerts from a Newly Observed Source Address
60
61This rule surfaces newly observed, low-frequency source address triggering multiple lateral movement alerts.
62
63Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
64whether it represents a true compromise or rare benign activity.
65
66### Investigation Steps
67
68- Identify the source address, affected host, user and review the associated rule name to understand the behavior that triggered the alert.
69- Validate the source address and user context under which the activity occurred and assess whether it aligns with normal behavior for that address.
70- Refer to the specific rule investigation guide for further actions.
71
72### False Positive Considerations
73
74- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.
75- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.
76- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
77
78### Response and Remediation
79
80- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
81- Terminate malicious processes and remove any dropped files or persistence mechanisms.
82- Collect forensic artifacts to understand initial access and execution flow.
83- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
84- If benign, document the finding and consider tuning or exception handling to reduce future noise.
85- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
86references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"]
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[rule.threat.tactic]
91id = "TA0008"
92name = "Lateral Movement"
93reference = "https://attack.mitre.org/tactics/TA0008/"