Lateral Movement Alerts from a Newly Observed User

 1[metadata]
 2creation_date = "2026/01/14"
 3maturity = "production"
 4updated_date = "2026/01/14"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule detects multiple lateral movement alerts from a user that was observed for the first time in the previous 5 days
10of alerts history. Analysts can use this high-order detection to prioritize triage and response.
11"""
12from = "now-7200m"
13interval = "9m"
14language = "esql"
15license = "Elastic License v2"
16name = "Lateral Movement Alerts from a Newly Observed User"
17risk_score = 73
18rule_id = "e819b7eb-c2d4-4adc-b0c9-658aeb140450"
19severity = "high"
20tags = ["OS: Windows", "Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Tactic: Lateral Movement", "Resources: Investigation Guide"]
21timestamp_override = "event.ingested"
22type = "esql"
23
24query = '''
25FROM .alerts-security.* METADATA _index
26
27// Lateral Movement related rules
28| where kibana.alert.rule.threat.tactic.name is not null and user.id is not null and 
29        (to_string(user.id) like "S-1-5-21*" or to_string(user.id) like "S-1-12-*") and
30        host.id is not null and KQL("""kibana.alert.rule.threat.tactic.name : "Lateral Movement" """)
31
32// aggregate stats by user.id
33| stats  Esql.first_time_seen = MIN(@timestamp),
34         Esql.alerts_count = count(*),
35         Esql.unique_rules_count = COUNT_DISTINCT(kibana.alert.rule.name),
36         Esql.unique_count_host_id = COUNT_DISTINCT(host.id),
37         Esql.rule_name_values = VALUES(kibana.alert.rule.name),
38         Esql.host_id_values = VALUES(host.id),
39         Esql.host_ip_values = VALUES(host.ip),
40         Esql.source_ip_values = VALUES(source.ip),
41         Esql.process_cmd_line = VALUES(process.command_line),
42         Esql.tactic_name_values = VALUES(kibana.alert.rule.threat.tactic.name) by user.id, user.name
43
44// at least 2 unique lateral movement detection rules from same user.id and that was first seen in last 5 days
45| eval Esql.date_diff = DATE_DIFF("minute", Esql.first_time_seen, now())
46| where Esql.unique_rules_count >= 2 and
47        // matches are within 10m of the rule execution time to avoid alert duplicates
48        Esql.date_diff <= 10
49| eval source.ip = MV_FIRST(Esql.source_ip_values),  host.id = MV_FIRST(Esql.host_id_values) 
50| KEEP Esql.*, user.id, user.name, host.id, source.ip
51'''
52note = """## Triage and analysis
53
54### Investigating Lateral Movement Alerts from a Newly Observed User
55
56This rule surfaces newly observed, low-frequency source user triggering multiple lateral movement alerts.
57
58Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
59whether it represents a true compromise or rare benign activity.
60
61### Investigation Steps
62
63- Identify the source user, affected hosts and review the associated rule name to understand the behavior that triggered the alert.
64- Validate the source address and user context under which the activity occurred and assess whether it aligns with normal behavior for that address.
65- Refer to the specific rule investigation guide for further actions.
66
67### False Positive Considerations
68
69- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.
70- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.
71- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
72
73### Response and Remediation
74
75- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
76- Terminate malicious processes and remove any dropped files or persistence mechanisms.
77- Collect forensic artifacts to understand initial access and execution flow.
78- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
79- If benign, document the finding and consider tuning or exception handling to reduce future noise.
80- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
81references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"]
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[rule.threat.tactic]
86id = "TA0008"
87name = "Lateral Movement"
88reference = "https://attack.mitre.org/tactics/TA0008/"