Unusual Discovery Signal Alert with Unusual Process Command Line

calendar Oct 11, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Discovery Rule Type: Higher-Order Rule  ·
Share on: linkedin copy

This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/22"
 3maturity = "production"
 4min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 5min_stack_version = "8.6.0"
 6updated_date = "2023/09/22"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
12host.id, user.id and process.command_line entries.
13"""
14from = "now-9m"
15index = [".alerts-security.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
19risk_score = 21
20rule_id = "29ef5686-9b93-433e-91b5-683911094698"
21severity = "low"
22tags = ["Domain: Endpoint",
23        "OS: Windows",
24        "Use Case: Threat Detection",
25        "Tactic: Discovery",
26        "Rule Type: Higher-Order Rule"
27        ]
28timestamp_override = "event.ingested"
29type = "new_terms"
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
32  "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
33  "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
34  "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
35  "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
36)
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43id = "TA0007"
44name = "Discovery"
45reference = "https://attack.mitre.org/tactics/TA0007/"
46
47[rule.new_terms]
48field = "new_terms_fields"
49value = ["host.id", "user.id", "process.command_line"]
50
51[[rule.new_terms.history_window_start]]
52field = "history_window_start"
53value = "now-14d"

Related rules

to-top