Unusual Discovery Signal Alert with Unusual Process Command Line
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
10host.id, user.id and process.command_line entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
17risk_score = 21
18rule_id = "29ef5686-9b93-433e-91b5-683911094698"
19severity = "low"
20tags = [
21 "Domain: Endpoint",
22 "OS: Windows",
23 "Use Case: Threat Detection",
24 "Tactic: Discovery",
25 "Rule Type: Higher-Order Rule",
26]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
32 "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
33 "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
34 "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
35 "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
36)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0007"
45name = "Discovery"
46reference = "https://attack.mitre.org/tactics/TA0007/"
47
48[rule.new_terms]
49field = "new_terms_fields"
50value = ["host.id", "user.id", "process.command_line"]
51[[rule.new_terms.history_window_start]]
52field = "history_window_start"
53value = "now-14d"
Related rules
- Unusual Discovery Signal Alert with Unusual Process Executable
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE