Elastic Security External Alerts

Generates a detection alert for each Elastic Security alert written to the configured indices. Enabling this rule allows you to immediately begin investigating Elastic Security alerts in the app.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/07/31"
  3integration = ["elastic_security"]
  4maturity = "production"
  5promotion = true
  6min_stack_version = "8.18.0"
  7min_stack_comments = "Introduced support for Elastic Security alert promotion"
  8updated_date = "2025/08/05"
  9
 10[rule]
 11author = ["Elastic"]
 12description = """
 13Generates a detection alert for each Elastic Security alert written to the configured indices. Enabling this rule
 14allows you to immediately begin investigating Elastic Security alerts in the app.
 15"""
 16from = "now-2m"
 17index = ["logs-elastic_security.alert-*"]
 18interval = "1m"
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 1000
 22name = "Elastic Security External Alerts"
 23note = """
 24## Triage and analysis
 25
 26### Investigating Elastic Security External Alerts
 27
 28The Elastic Security integration facilitates transferring security alert data from another Elasticsearch instance to your own, enabling threats to be investigated in a centralized manner.
 29
 30### Possible investigation steps
 31
 32- Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
 33- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
 34- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
 35- Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
 36- Consult the Elastic Security investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
 37
 38### False positive analysis
 39
 40- Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities.
 41- Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
 42- Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the Elastic Security configuration.
 43- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
 44- User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.
 45
 46### Response and remediation
 47
 48- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
 49- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
 50- Remove or quarantine any malicious files or processes identified by the Elastic Security alert to neutralize the threat.
 51- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
 52- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
 53- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
 54- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
 55"""
 56references = ["https://docs.elastic.co/en/integrations/elastic_security"]
 57risk_score = 47
 58rule_id = "720fc1aa-e195-4a1d-81d8-04edfe5313ed"
 59rule_name_override = "kibana.alert.rule.name"
 60setup = """## Setup
 61
 62### Elastic Security Alert Integration
 63This rule is designed to capture alert events generated by the Elastic Security integration and promote them as Elastic detection alerts.
 64
 65To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern.
 66
 67If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:elastic_security.alert to avoid receiving duplicate alerts.
 68
 69### Additional notes
 70
 71For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 72"""
 73severity = "medium"
 74tags = ["Data Source: Elastic Security", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
 75timestamp_override = "event.ingested"
 76type = "query"
 77
 78query = '''
 79event.kind: alert and data_stream.dataset: elastic_security.alert
 80'''
 81
 82
 83[[rule.risk_score_mapping]]
 84field = "event.risk_score"
 85operator = "equals"
 86value = ""
 87
 88[[rule.severity_mapping]]
 89field = "event.severity"
 90operator = "equals"
 91severity = "low"
 92value = "21"
 93
 94[[rule.severity_mapping]]
 95field = "event.severity"
 96operator = "equals"
 97severity = "medium"
 98value = "47"
 99
100[[rule.severity_mapping]]
101field = "event.severity"
102operator = "equals"
103severity = "high"
104value = "73"
105
106[[rule.severity_mapping]]
107field = "event.severity"
108operator = "equals"
109severity = "critical"
110value = "99"

Triage and analysis

Investigating Elastic Security External Alerts

The Elastic Security integration facilitates transferring security alert data from another Elasticsearch instance to your own, enabling threats to be investigated in a centralized manner.

Possible investigation steps

  • Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
  • Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
  • Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
  • Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
  • Consult the Elastic Security investigation guide and resources tagged in the alert for specific guidance on handling similar threats.

False positive analysis

  • Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities.
  • Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
  • Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the Elastic Security configuration.
  • Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
  • User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.

Response and remediation

  • Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
  • Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
  • Remove or quarantine any malicious files or processes identified by the Elastic Security alert to neutralize the threat.
  • Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
  • Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
  • Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
  • Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.

References

Related rules

to-top