Unusual Discovery Signal Alert with Unusual Process Command Line
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
10host.id, user.id and process.command_line entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
17risk_score = 21
18rule_id = "29ef5686-9b93-433e-91b5-683911094698"
19severity = "low"
20tags = [
21 "Domain: Endpoint",
22 "OS: Windows",
23 "Use Case: Threat Detection",
24 "Tactic: Discovery",
25 "Rule Type: Higher-Order Rule",
26]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
32 "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
33 "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
34 "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
35 "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
36)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0007"
45name = "Discovery"
46reference = "https://attack.mitre.org/tactics/TA0007/"
47
48[rule.new_terms]
49field = "new_terms_fields"
50value = ["host.id", "user.id", "process.command_line"]
51[[rule.new_terms.history_window_start]]
52field = "history_window_start"
53value = "now-14d"
Related rules
- Unusual Discovery Signal Alert with Unusual Process Executable
- Potential Enumeration via Active Directory Web Service
- Delayed Execution via Ping
- Enumeration of Users or Groups via Built-in Commands
- Execution from a Removable Media with Network Connection