Unusual Discovery Signal Alert with Unusual Process Executable
This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id and process.executable entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id
10and process.executable entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Executable"
17risk_score = 21
18rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17"
19severity = "low"
20tags = [
21 "Domain: Endpoint",
22 "OS: Windows",
23 "Use Case: Threat Detection",
24 "Tactic: Discovery",
25 "Rule Type: Higher-Order Rule",
26]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511"
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[rule.threat.tactic]
39id = "TA0007"
40name = "Discovery"
41reference = "https://attack.mitre.org/tactics/TA0007/"
42
43[rule.new_terms]
44field = "new_terms_fields"
45value = ["host.id", "user.id", "process.executable"]
46[[rule.new_terms.history_window_start]]
47field = "history_window_start"
48value = "now-14d"
Related rules
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Potential Enumeration via Active Directory Web Service
- Delayed Execution via Ping
- Enumeration of Users or Groups via Built-in Commands
- Execution from a Removable Media with Network Connection