Newly Observed Elastic Defend Behavior Alert

 1[metadata]
 2creation_date = "2026/01/05"
 3maturity = "production"
 4updated_date = "2026/01/16"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against the previous
105 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use
11this to prioritize triage and response.
12"""
13from = "now-7205m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "Newly Observed Elastic Defend Behavior Alert"
18risk_score = 73
19rule_id = "7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8"
20severity = "high"
21tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
22timestamp_override = "event.ingested"
23type = "esql"
24
25query = '''
26from logs-endpoint.alerts-*
27| WHERE event.code == "behavior" and rule.name is not null
28| STATS Esql.alerts_count = count(*),
29        Esql.first_time_seen = MIN(@timestamp),
30        Esql.last_time_seen = MAX(@timestamp),
31        Esql.agents_distinct_count = COUNT_DISTINCT(agent.id),
32        Esql.process_executable = VALUES(process.executable),
33        Esql.process_parent_executable = VALUES(process.parent.executable),
34        Esql.process_command_line = VALUES(process.command_line),
35        Esql.process_hash_sha256 = VALUES(process.hash.sha256),
36        Esql.host_id_values = VALUES(host.id),
37        Esql.user_name = VALUES(user.name) by rule.name
38// first time seen in the last 5 days - defined in the rule schedule Additional look-back time
39| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
40// first time seen is within 10m of the rule execution time
41| where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)
42
43// Move single values to their corresponding ECS fields for alerts exclusion
44| eval host.id = mv_min(Esql.host_id_values)
45
46| keep host.id, rule.name, Esql.*
47'''
48note = """## Triage and analysis
49
50> **Disclaimer**:
51> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
52
53### Investigating Newly Observed Elastic Defend Behavior Alert
54
55Elastic Defend behavior alerts indicate suspicious activity observed on an endpoint that may not yet be widespread or repeated.
56This rule surfaces newly observed, low-frequency behavior alerts affecting a single agent within the current day, which can
57represent early-stage malware execution, initial persistence attempts, or hands-on-keyboard activity.
58
59Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
60whether it represents a true compromise or rare benign activity.
61
62### Investigation Steps
63
64- Identify the affected host and review the associated Elastic Defend rule name to understand the behavior that triggered the alert.
65- Review the process details, including executable path, parent process, command line, and SHA-256 hash.
66- Determine whether the process is expected on the host by validating its origin, signer, and execution context.
67- Examine the alert timeline to confirm that all activity occurred within a short time window and assess whether behavior escalated.
68- Correlate with additional endpoint telemetry such as:
69  - Process creation and termination
70  - File modifications
71  - Network connections
72  - Registry or persistence-related activity
73- Check whether the process hash, command line, or related indicators are known malicious or associated with recent campaigns.
74- Validate the user context under which the activity occurred and assess whether it aligns with normal behavior for that account.
75
76### False Positive Considerations
77
78- Newly deployed or updated software may introduce behavior not previously observed on the host.
79- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.
80- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.
81- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
82
83### Response and Remediation
84
85- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
86- Terminate malicious processes and remove any dropped files or persistence mechanisms.
87- Collect forensic artifacts to understand initial access and execution flow.
88- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
89- If benign, document the finding and consider tuning or exception handling to reduce future noise.
90- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
91references = ["https://github.com/elastic/protections-artifacts/tree/main/behavior"]