Adversary Behavior - Detected - Elastic Endgame

Mar 27, 2025 · Data Source: Elastic Endgame Resources: Investigation Guide ·

Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4promotion = true
 5updated_date = "2025/03/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in
11the rule.reference column for additional information.
12"""
13from = "now-2m"
14index = ["endgame-*"]
15interval = "1m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 1000
19name = "Adversary Behavior - Detected - Elastic Endgame"
20risk_score = 47
21rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
22setup = """## Setup
23
24### Additional notes
25
26For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
27"""
28severity = "medium"
29tags = ["Data Source: Elastic Endgame", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)
35'''
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Adversary Behavior - Detected - Elastic Endgame
42
43Elastic Endgame is a security solution designed to detect and prevent adversarial actions by monitoring system behaviors. Adversaries may exploit system vulnerabilities or execute unauthorized actions to compromise environments. This detection rule identifies suspicious behavior by analyzing alerts and specific event actions, flagging potential threats for further investigation. The rule's medium severity and risk score highlight its importance in maintaining security posture.
44
45### Possible investigation steps
46
47- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected behavior.
48- Analyze the event.action and endgame.event_subtype_full fields to understand the specific behavior protection event that triggered the alert.
49- Correlate the alert with other recent alerts or logs from the same host or user to identify any patterns or additional suspicious activities.
50- Investigate the affected system for any signs of compromise or unauthorized changes, focusing on the timeframe around the alert.
51- Check for any known vulnerabilities or misconfigurations in the affected system that could have been exploited by the adversary.
52- Consult with the IT or security team to determine if any recent changes or updates could have triggered the alert as a false positive.
53
54### False positive analysis
55
56- Routine software updates or installations may trigger alerts due to behavior resembling adversarial actions. Users can create exceptions for known update processes to reduce false positives.
57- Legitimate administrative tasks, such as system configuration changes, might be flagged. Identifying and excluding these tasks from monitoring can help minimize unnecessary alerts.
58- Security tools or scripts that perform regular scans or maintenance can mimic adversary behavior. Whitelisting these tools in the detection rule settings can prevent them from being flagged.
59- Automated backup processes that access multiple files or systems simultaneously may be misinterpreted as suspicious. Users should ensure these processes are recognized and excluded from triggering alerts.
60- Custom applications with unique behaviors might be incorrectly identified as threats. Users should document and exclude these behaviors if they are verified as non-threatening.
61
62### Response and remediation
63
64- Isolate the affected system immediately to prevent further unauthorized actions or potential lateral movement by the adversary.
65- Review the specific event.action and endgame.event_subtype_full fields to understand the nature of the detected behavior and identify any compromised accounts or processes.
66- Terminate any unauthorized processes or sessions identified during the investigation to halt adversary activities.
67- Apply security patches or updates to address any exploited vulnerabilities that may have been used by the adversary.
68- Conduct a thorough scan of the affected system and network to identify and remove any malicious artifacts or backdoors left by the adversary.
69- Restore affected systems from a known good backup if necessary, ensuring that the backup is free from compromise.
70- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Adversary Behavior - Detected - Elastic Endgame

Elastic Endgame is a security solution designed to detect and prevent adversarial actions by monitoring system behaviors. Adversaries may exploit system vulnerabilities or execute unauthorized actions to compromise environments. This detection rule identifies suspicious behavior by analyzing alerts and specific event actions, flagging potential threats for further investigation. The rule's medium severity and risk score highlight its importance in maintaining security posture.

Possible investigation steps

Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected behavior.
Analyze the event.action and endgame.event_subtype_full fields to understand the specific behavior protection event that triggered the alert.
Correlate the alert with other recent alerts or logs from the same host or user to identify any patterns or additional suspicious activities.
Investigate the affected system for any signs of compromise or unauthorized changes, focusing on the timeframe around the alert.
Check for any known vulnerabilities or misconfigurations in the affected system that could have been exploited by the adversary.
Consult with the IT or security team to determine if any recent changes or updates could have triggered the alert as a false positive.

False positive analysis

Routine software updates or installations may trigger alerts due to behavior resembling adversarial actions. Users can create exceptions for known update processes to reduce false positives.
Legitimate administrative tasks, such as system configuration changes, might be flagged. Identifying and excluding these tasks from monitoring can help minimize unnecessary alerts.
Security tools or scripts that perform regular scans or maintenance can mimic adversary behavior. Whitelisting these tools in the detection rule settings can prevent them from being flagged.
Automated backup processes that access multiple files or systems simultaneously may be misinterpreted as suspicious. Users should ensure these processes are recognized and excluded from triggering alerts.
Custom applications with unique behaviors might be incorrectly identified as threats. Users should document and exclude these behaviors if they are verified as non-threatening.

Response and remediation

Isolate the affected system immediately to prevent further unauthorized actions or potential lateral movement by the adversary.
Review the specific event.action and endgame.event_subtype_full fields to understand the nature of the detected behavior and identify any compromised accounts or processes.
Terminate any unauthorized processes or sessions identified during the investigation to halt adversary activities.
Apply security patches or updates to address any exploited vulnerabilities that may have been used by the adversary.
Conduct a thorough scan of the affected system and network to identify and remove any malicious artifacts or backdoors left by the adversary.
Restore affected systems from a known good backup if necessary, ensuring that the backup is free from compromise.
Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.