Newly Observed High Severity Suricata Alert

 1[metadata]
 2creation_date = "2026/01/20"
 3integration = ["suricata"]
 4maturity = "production"
 5updated_date = "2026/02/17"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects Suricata high severity alerts that are observed for the first time in the previous 5 days of alert history.
11Analysts can use this to prioritize triage and response.
12"""
13from = "now-7205m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "Newly Observed High Severity Suricata Alert"
18risk_score = 99
19rule_id = "d591d7af-399b-4888-b705-ae612690c48d"
20severity = "critical"
21tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Domain: Network", "Data Source: Suricata"]
22timestamp_override = "event.ingested"
23type = "esql"
24
25query = '''
26FROM logs-suricata.*
27
28  // high severity alerts
29| where event.module == "suricata" and event.kind == "signal" and event.severity == 1 and
30        rule.name is not null and
31        not rule.name like "SURICATA STREAM*"
32
33| STATS Esql.alerts_count = count(*),
34        Esql.first_time_seen = MIN(@timestamp),
35        Esql.distinct_count_src_ip = COUNT_DISTINCT(source.ip),
36        Esql.distinct_count_dst_ip = COUNT_DISTINCT(destination.ip),
37        src_ip_values = VALUES(source.ip),
38        dst_ip_values = VALUES(destination.ip),
39        url_dom = VALUES(url.domain),
40        url_path = VALUES(url.path) by rule.name, event.type
41
42| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
43  // first time seen is within 10m of the rule execution time
44| where Esql.recent <= 10 and
45// exclude high volume alerts such as vuln-scanners
46  Esql.alerts_count <= 5 and Esql.distinct_count_src_ip <= 2 and Esql.distinct_count_dst_ip <= 2
47
48// move dynamic fields to ECS quivalent for rule exceptions
49| eval source.ip = MV_FIRST(src_ip_values),
50       destination.ip = MV_FIRST(dst_ip_values),
51       url.domain = MV_FIRST(url_dom),
52       url.path = MV_FIRST(url_path)
53| keep rule.name, event.type, Esql.*, source.ip, destination.ip, url.domain, url.path
54'''
55note = """## Triage and analysis
56
57### Investigating Newly Observed High Severity Suricata Alert
58
59This rule surfaces newly observed, low-frequency high severity suricata alerts within the last 5 days.
60
61Because the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine
62whether it represents a true compromise or rare benign activity.
63
64### Investigation Steps
65
66- Identify the source address, affected host and review the associated rule name to understand the behavior that triggered the alert.
67- Validate the source address under which the activity occurred and assess whether it aligns with normal behavior.
68- Refer to the specific alert details like event.original to get more context.
69
70### False Positive Considerations
71
72- Vulnerability scanners and pentesting.
73- Administrative scripts or automation tools can trigger detections when first introduced.
74- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
75
76### Response and Remediation
77
78- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
79- Terminate malicious processes and remove any dropped files or persistence mechanisms.
80- Collect forensic artifacts to understand initial access and execution flow.
81- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
82- If benign, document the finding and consider tuning or exception handling to reduce future noise.
83- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
84references = ["https://www.elastic.co/docs/reference/integrations/suricata"]