Newly Observed High Severity Detection Alert

 1[metadata]
 2creation_date = "2026/01/07"
 3maturity = "production"
 4updated_date = "2026/01/07"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule detects Elastic SIEM high severity detection alerts that are observed for the first time in the previous 5 days
10of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use this
11to prioritize triage and response.
12"""
13from = "now-7205m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "Newly Observed High Severity Detection Alert"
18risk_score = 73
19rule_id = "1a3d5b36-b995-4ace-9b85-8a0af429ccf6"
20severity = "high"
21tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide"]
22timestamp_override = "event.ingested"
23type = "esql"
24
25query = '''
26FROM .alerts-security.*
27| where kibana.alert.rule.name is not null and kibana.alert.risk_score >= 73  and
28  not kibana.alert.rule.type in ("threat_match", "machine_learning", "new_terms") and
29  not kibana.alert.rule.name like "Deprecated - *" and kibana.alert.rule.name != "My First Rule" and
30  // covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8
31  event.dataset != "endpoint.alerts"
32| STATS Esql.alerts_count = count(*),
33        Esql.first_time_seen = MIN(@timestamp),
34        Esql.last_time_seen = MAX(@timestamp),
35        Esql.process_executable = VALUES(process.executable),
36        Esql.cmd_line = VALUES(process.command_line),
37        Esql.parent_executable = VALUES(process.parent.executable),
38        Esql.file_path_values = VALUES(file.path),
39        Esql.file_path_values = VALUES(file.path),
40        Esql.dll_path_values = VALUES(dll.path),
41        Esql.user_id_values = VALUES(user.id),
42        Esql.user_name_values = VALUES(user.name),
43        Esql.agent_id_values = VALUES(agent.id),
44        Esql.host_id_values = VALUES(host.id),
45        Esql.event_module_values = VALUES(event.module),
46        Esql.source_ip_values = VALUES(source.ip),
47        Esql.agents_distinct_count = COUNT_DISTINCT(agent.id) by kibana.alert.rule.name
48// fist time seen in the last 5 days - defined in the rule schedule Additional look-back time
49| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
50// first time seen is within 10m of the rule execution time
51| where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)
52| keep kibana.alert.rule.name, Esql.*
53'''
54note = """## Triage and analysis
55
56### Investigating Newly Observed High Severity Detection Alert
57
58This rule surfaces newly observed, low-frequency behavior high severity alerts affecting a single agent within the current day.
59
60Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
61whether it represents a true compromise or rare benign activity.
62
63### Investigation Steps
64
65- Identify the affected host, user and review the associated rule name to understand the behavior that triggered the alert.
66- Validate the user context under which the activity occurred and assess whether it aligns with normal behavior for that account.
67- Refer to the specific rule investiguation guide for further actions.
68
69### False Positive Considerations
70
71- Newly deployed or updated software may introduce behavior not previously observed on the host.
72- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.
73- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.
74- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
75
76### Response and Remediation
77
78- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
79- Terminate malicious processes and remove any dropped files or persistence mechanisms.
80- Collect forensic artifacts to understand initial access and execution flow.
81- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
82- If benign, document the finding and consider tuning or exception handling to reduce future noise.
83- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
84references = ["https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules"]