Elastic Defend and Email Alerts Correlation

calendar Nov 24, 2025 · Use Case: Threat Detection Rule Type: Higher-Order Rule Resources: Investigation Guide Data Source: Elastic Defend Domain: Email Domain: Endpoint  ·
Share on: linkedin copy

This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate the successful execution of a phishing attack.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2025/11/19"
 3maturity = "production"
 4updated_date = "2025/11/19"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate
10the successful execution of a phishing attack.
11"""
12from = "now-1h"
13interval = "45m"
14language = "esql"
15license = "Elastic License v2"
16name = "Elastic Defend and Email Alerts Correlation"
17risk_score = 73
18rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10"
19severity = "high"
20tags = [
21    "Use Case: Threat Detection",
22    "Rule Type: Higher-Order Rule",
23    "Resources: Investigation Guide",
24    "Data Source: Elastic Defend",
25    "Domain: Email",
26    "Domain: Endpoint"
27]
28timestamp_override = "event.ingested"
29type = "esql"
30
31query = '''
32from logs-* metadata _id
33// Email or Elastic Defend alerts where user name is populated
34| where
35  (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or
36  (event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null)
37
38// extract target user name from email and endpoint alerts
39| eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null),
40       elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null)
41| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name)
42| where Esql.target_user_name is not null
43
44// group by Esql.target_user_name
45| stats Esql.alerts_count = COUNT(*),
46        Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
47        Esql.event_module_values = VALUES(event.module),
48        Esql.message_values = VALUES(message),
49        Esql.event_action_values = VALUES(event.action),
50        Esql.process_executable_values = VALUES(process.executable),
51        Esql.host_id_values = VALUES(host.id),
52        Esql.source_user_name = VALUES(source.user.name),
53        Esql.rule_name_values = VALUES(rule.name)
54        by Esql.target_user_name
55// alert when same user is observed in an endpoint and email alert
56| where Esql.event_module_distinct_count >= 2
57| keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values
58'''
59note = """## Triage and analysis
60### Investigating Elastic Defend and Email Alerts Correlation
61
62This rule correlates any Elastic Defend alert with an email security related alert by target user name.
63
64### Possible investigation steps
65- Review the alert details to identify the specific host and users involved.
66- Investigate the individual alerts for the target user name and see if they are related.
67- Review all emails received from Esql.source_user_name and if there are other impacted users.
68- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
69- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.
70
71### False positive analysis
72- Legitimate email marked as suspicious.
73- Legitimate file or behavior marked as suspicious by Elastic Defend.
74- Unrelated alerts where the target user name is too generic.
75
76### Response and remediation
77- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
78- Conduct a thorough forensic analysis of the host.
79- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
80- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
81- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
82- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign."""

Triage and analysis

Investigating Elastic Defend and Email Alerts Correlation

This rule correlates any Elastic Defend alert with an email security related alert by target user name.

Possible investigation steps

  • Review the alert details to identify the specific host and users involved.
  • Investigate the individual alerts for the target user name and see if they are related.
  • Review all emails received from Esql.source_user_name and if there are other impacted users.
  • Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
  • Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.

False positive analysis

  • Legitimate email marked as suspicious.
  • Legitimate file or behavior marked as suspicious by Elastic Defend.
  • Unrelated alerts where the target user name is too generic.

Response and remediation

  • Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
  • Conduct a thorough forensic analysis of the host.
  • Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
  • Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
  • Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
  • Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.

Related rules

to-top