Elastic Defend and Network Security Alerts Correlation

  1[metadata]
  2creation_date = "2025/11/18"
  3integration = ["endpoint", "panw", "fortinet_fortigate", "suricata"]
  4maturity = "production"
  5updated_date = "2026/02/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule correlate any Elastic Defend alert with a set of suspicious events from Network security devices like Palo Alto
 11Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and
 12triggering multi-datasource alerts.
 13"""
 14from = "now-60m"
 15interval = "10m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "Elastic Defend and Network Security Alerts Correlation"
 19risk_score = 73
 20rule_id = "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe"
 21setup = """## Setup
 22
 23This rule requires the `host.ip` field to be populated.
 24For **Elastic Defend** events on versions **8.18 and above**, this field is **disabled by default**.
 25
 26If you are using **Elastic Defend**, ensure host IP collection is enabled by following the configuration steps in the
 27[helper guide](https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields).
 28"""
 29severity = "high"
 30tags = [
 31    "Use Case: Threat Detection",
 32    "Rule Type: Higher-Order Rule",
 33    "Resources: Investigation Guide",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Fortinet",
 36    "Data Source: PAN-OS"
 37]
 38timestamp_override = "event.ingested"
 39type = "esql"
 40
 41query = '''
 42FROM logs-* metadata _id
 43| WHERE
 44        // Elastic Defend Alerts
 45        (event.module == "endpoint" and event.dataset == "endpoint.alerts") or
 46
 47        // PANW suspicious events
 48        (event.dataset == "panw.panos" and
 49         event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied", "exploit_detected")) or
 50
 51        // Fortigate suspicious events
 52        (event.dataset == "fortinet_fortigate.log" and
 53         (event.action in ("outbreak-prevention", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or
 54
 55        // Suricata
 56        (event.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected"))
 57
 58// extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert
 59|eval fw_alert_source_ip = CASE(event.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null),
 60      elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", host.ip, null)
 61| eval Esql.source_ip = COALESCE(fw_alert_source_ip, elastic_defend_alert_host_ip)
 62| where Esql.source_ip is not null
 63
 64// group by host_source_ip shared between FG/PANW and Elastic Defend
 65| stats Esql.alerts_count = COUNT(*),
 66        Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
 67        Esql.message_values_distinct_count = COUNT_DISTINCT(message),
 68        Esql.event_module_values = VALUES(event.module),
 69        Esql.message_values = VALUES(message),
 70        Esql.event_action_values = VALUES(event.action),
 71        Esql.process_executable_values = VALUES(process.executable),
 72        Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
 73        Esql.process_cmdline_values = VALUES(process.command_line),
 74        Esql.file_path_values = VALUES(file.path),
 75        Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
 76        Esql.host_id_values = VALUES(host.id),
 77        Esql.user_name_values = VALUES(user.name),
 78        Esql.destination_ip_values = VALUES(destination.ip)
 79        by Esql.source_ip
 80| where Esql.event_module_distinct_count >= 2 AND Esql.message_values_distinct_count >= 2
 81| eval concat_module_values = MV_CONCAT(Esql.event_module_values, ",")
 82// Make sure an endpoint alert is present along one of the network ones
 83| where concat_module_values like "*endpoint*"
 84
 85// Move single values to their corresponding ECS fields for alerts exclusion
 86| eval source.ip = mv_min(Esql.source_ip),
 87       host.id = mv_min(Esql.host_id_values),
 88       user.name = mv_min(Esql.user_name_values)
 89
 90| keep source.ip, host.id, user.name, Esql.*
 91'''
 92note = """## Triage and analysis
 93
 94### Investigating Elastic Defend and Network Security Alerts Correlation
 95
 96This rule correlate any Elastic Defend alert with suspicious events from Network Security datasources like Palo Alto Networks (PANW), Fortinet Fortigate and Suricata by host.ip and source.ip.
 97
 98### Possible investigation steps
 99
100- Review the alert details to identify the specific host and users involved.
101- Investiguate the network alerts by destination.ip and message.
102- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.
103- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
104- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.
105- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.
106
107### False positive analysis
108
109- IP address ranges overlap where the host.ip value from the Elastic Defend alert is unrelated to the source.ip value from the Network Security alert.
110- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance.
111- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.
112- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.
113- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.
114- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities.
115
116### Response and remediation
117
118- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
119- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.
120- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
121- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.
122- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
123- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
124- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign."""