Unusual Discovery Signal Alert with Unusual Process Command Line
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
5min_stack_version = "8.6.0"
6updated_date = "2023/09/22"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
12host.id, user.id and process.command_line entries.
13"""
14from = "now-9m"
15index = [".alerts-security.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
19risk_score = 21
20rule_id = "29ef5686-9b93-433e-91b5-683911094698"
21severity = "low"
22tags = ["Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Discovery",
26 "Rule Type: Higher-Order Rule"
27 ]
28timestamp_override = "event.ingested"
29type = "new_terms"
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
32 "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
33 "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
34 "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
35 "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
36)
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43id = "TA0007"
44name = "Discovery"
45reference = "https://attack.mitre.org/tactics/TA0007/"
46
47[rule.new_terms]
48field = "new_terms_fields"
49value = ["host.id", "user.id", "process.command_line"]
50
51[[rule.new_terms.history_window_start]]
52field = "history_window_start"
53value = "now-14d"
Related rules
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Suspicious Powershell Script
- Unusual Linux Network Configuration Discovery
- Unusual Linux Network Connection Discovery