Multiple Rare Elastic Defend Behavior Rules by Host

 1[metadata]
 2creation_date = "2026/02/19"
 3maturity = "production"
 4min_stack_comments = "ES|QL inline stats became generally available in 9.3.0"
 5min_stack_version = "9.3.0"
 6updated_date = "2026/02/19"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies hosts that triggered multiple distinct Elastic Defend behavior rules, while reducing false positives by
12considering only behavior rules that appear on a single host globally (via INLINE STATS). Hosts with two or more
13such rare behavior rules are more likely to be compromised and warrant prioritized triage.
14"""
15from = "now-60m"
16interval = "30m"
17language = "esql"
18license = "Elastic License v2"
19name = "Multiple Rare Elastic Defend Behavior Rules by Host"
20risk_score = 99
21rule_id = "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b"
22severity = "critical"
23tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "esql"
26
27query = '''
28from logs-endpoint.alerts-* metadata _id
29| where event.dataset == "endpoint.alerts" and event.code == "behavior"
30| INLINE STATS hosts = COUNT_DISTINCT(host.id) BY rule.name
31// excludes rules triggering on multiple hosts to reduce potential FPs
32| where hosts == 1
33| stats Esql.rule_name_count_distinct = COUNT_DISTINCT(rule.name),
34        Esql.rule_name_values = VALUES(rule.name),
35        Esql.process_executable_values = VALUES(process.executable),
36        Esql.process_parent_executable_values = VALUES(process.parent.executable),
37        Esql.process_command_line_values = VALUES(process.command_line),
38		Esql.process_parent_command_line_values = VALUES(process.parent.command_line),
39        Esql.process_hash_sha256_values = VALUES(process.hash.sha256), 
40		Esql.file_path_values = VALUES(file.path),
41        Esql.dll_path_values = VALUES(dll.path),
42        Esql.dll_hash_sha256_values = VALUES(dll.hash.sha256), 
43		Esql.user_name_values = VALUES(user.name) by host.id
44// at least 2 unique rules
45| where Esql.rule_name_count_distinct >= 2
46// populate fields to use in rule exceptions
47| eval process.hash.sha256 = MV_FIRST(Esql.process_hash_sha256_values),
48       process.executable = MV_FIRST(Esql.process_executable_values),
49       process.parent.executable = MV_FIRST(Esql.process_parent_executable_values),
50       process.command_line = MV_FIRST(Esql.process_command_line_values),
51       user.name = MV_FIRST(Esql.user_name_values)
52| Keep host.id, user.name, process.executable, process.parent.executable, process.hash.sha256, process.command_line, Esql.*
53'''
54note = """## Triage and analysis
55
56> **Disclaimer**:
57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
58
59### Investigating Multiple Rare Elastic Defend Behavior Rules by Host
60
61This rule correlates Elastic Defend behavior alerts by host and applies a global prevalence filter: only behavior rules that fire on a single host in the lookback window are considered. Hosts that trigger two or more such rare behavior rules are flagged, as this pattern is more likely to indicate real compromise than commonly seen behavior rules.
62
63### Possible investigation steps
64
65- Review the listed behavior rule names and the associated process command lines (and parent command lines) to understand what actions triggered the alerts.
66- Identify the user(s) associated with the activity and confirm whether the behavior is expected for that role or host.
67- Correlate with other endpoint and network data for the host (process, network, file events) to assess scope and persistence.
68- Compare timestamps of the alerts to determine if activity is part of a single campaign or staged execution.
69
70### False positive analysis
71
72- The global prevalence filter (rules seen on only one host) reduces noise from behavior rules that fire widely (e.g., common software or policy). If legitimate single-host tools or scripts trigger multiple rare behavior rules, consider documenting and excluding known-good rule names or hosts.
73- Development or testing hosts may exhibit multiple rare behaviors; consider lowering severity or excluding those hosts if appropriate.
74
75### Response and remediation
76
77- Isolate the host if triage indicates compromise, then follow standard incident response procedures.
78- Collect and preserve artifacts (process hashes, command lines, files) for further analysis.
79- Escalate to the security team for full investigation and potential containment or eradication actions.
80"""
81references = [
82"https://www.elastic.co/docs/reference/query-languages/esql/commands/inlinestats-by", 
83"https://github.com/elastic/protections-artifacts/tree/main/behavior"
84]