Multiple Elastic Defend Alerts from a Single Process Tree

Jan 2, 2026 · Use Case: Threat Detection Rule Type: Higher-Order Rule Resources: Investigation Guide Data Source: Elastic Defend ·

Share on:

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2025/12/31"
 3maturity = "production"
 4updated_date = "2025/12/31"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity.
10Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
11"""
12from = "now-9m"
13interval = "8m"
14language = "esql"
15license = "Elastic License v2"
16name = "Multiple Elastic Defend Alerts from a Single Process Tree"
17references = [
18    "https://github.com/elastic/protections-artifacts/tree/main/yara/rules",
19    "https://github.com/elastic/protections-artifacts/tree/main/behavior"
20]
21risk_score = 73
22rule_id = "25a4207c-5c05-4680-904c-6e3411b275fa"
23severity = "high"
24tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "esql"
27
28query = '''
29from logs-endpoint.alerts-*
30
31// process.Ext.ancestry is an array of all unique process IDs ancestors of the alert actor process ID
32| where event.code in ("malicious_file", "memory_signature", "shellcode_thread", "behavior") and
33        agent.id is not null and not rule.name in ("Multi.EICAR.Not-a-virus") and process.Ext.ancestry is not null
34
35// aggregate alerts by process.Ext.ancestry and agent.id
36| stats Esql.alerts_count = COUNT(*),
37        Esql.rule_name_distinct_count = COUNT_DISTINCT(rule.name),
38        Esql.event_code_distinct_count = COUNT_DISTINCT(event.code),
39        Esql.process_id_distinct_count = COUNT_DISTINCT(process.entity_id),
40        Esql.message_values = VALUES(message),
41        Esql.user_name_values = VALUES(user.name),
42        Esql.threat_tactic_name_values = VALUES(threat.tactic.name),
43        Esql.threat_technique_name_values = VALUES(threat.technique.name),
44        Esql.process_command_line_values = VALUES(process.command_line),
45        Esql.process_parent_executable_values = values(process.parent.executable),
46        Esql.file_path_values = VALUES(file.path),
47        Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
48        Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
49        Esql.dns_question_name_values = VALUES(dns.question.name) by process.Ext.ancestry, agent.id
50
51// filter for at least 3 unique process IDs and 2 or more alert types or rule names.
52| where Esql.process_id_distinct_count >= 3 and (Esql.rule_name_distinct_count >= 2 or Esql.event_code_distinct_count >= 2)
53
54// keep unique values
55| stats Esql.alert_names = values(Esql.message_values),
56        Esql.alerts_process_cmdline_values = VALUES(Esql.process_command_line_values),
57        Esql.alerts_user_names = VALUES(Esql.user_name_values),
58        Esql.alerts_mitre_tactics = values(Esql.threat_tactic_name_values),
59        Esql.alerts_mitre_techniques = VALUES(Esql.threat_technique_name_values),
60        Esql.alerts_process_parent_executable = values(Esql.process_parent_executable_values),
61        Esql.alerts_file_paths = VALUES(Esql.file_path_values),
62        Esql.alerts_file_hash_sha256 = VALUES(Esql.file_hash_sha256_values),
63        Esql.alerts_process_hash_sha256 = VALUES(Esql.process_hash_sha256_values),
64        Esql.alerts_dns_question_names = VALUES(Esql.dns_question_name_values) by agent.id
65| keep Esql.*, agent.id
66'''
67note = """## Triage and analysis
68
69> **Disclaimer**:
70> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
71
72### Investigating Multiple Elastic Defend Alerts from a Single Process Tree
73
74Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity.
75
76### Possible investigation steps
77
78- Review the alert details to identify the specific host involved and the different alerts that triggered.
79- Examine the timeline of the alerts to understand the sequence of events and determine the root cause.
80- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
81- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.
82- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.
83
84### False positive analysis
85
86- Security tools running on the host might generate multiple alerts from same process tree.
87- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.
88- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.
89
90### Response and remediation
91
92- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
93- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.
94- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
95- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.
96- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
97- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
98- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign."""

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Multiple Elastic Defend Alerts from a Single Process Tree

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity.

Possible investigation steps

Review the alert details to identify the specific host involved and the different alerts that triggered.
Examine the timeline of the alerts to understand the sequence of events and determine the root cause.
Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.
Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.

False positive analysis

Security tools running on the host might generate multiple alerts from same process tree.
Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.
Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.

Response and remediation

Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.
Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.
Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.

References

protections-artifacts/yara/rules at main · elastic/protections-artifacts

Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.

Read More
protections-artifacts/behavior at main · elastic/protections-artifacts

Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.

Read More