Unusual Discovery Signal Alert with Unusual Process Command Line

This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/22"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
10host.id, user.id and process.command_line entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
17risk_score = 21
18rule_id = "29ef5686-9b93-433e-91b5-683911094698"
19severity = "low"
20tags = [
21    "Domain: Endpoint",
22    "OS: Windows",
23    "Use Case: Threat Detection",
24    "Tactic: Discovery",
25    "Rule Type: Higher-Order Rule",
26]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
32  "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
33  "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
34  "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
35  "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
36)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0007"
45name = "Discovery"
46reference = "https://attack.mitre.org/tactics/TA0007/"
47
48[rule.new_terms]
49field = "new_terms_fields"
50value = ["host.id", "user.id", "process.command_line"]
51[[rule.new_terms.history_window_start]]
52field = "history_window_start"
53value = "now-14d"

Related rules

to-top