Unusual Discovery Signal Alert with Unusual Process Executable
This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id and process.executable entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
5min_stack_version = "8.6.0"
6updated_date = "2023/11/13"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id
12and process.executable entries.
13"""
14from = "now-9m"
15index = [".alerts-security.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Unusual Discovery Signal Alert with Unusual Process Executable"
19risk_score = 21
20rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17"
21severity = "low"
22tags = ["Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Discovery",
26 "Rule Type: Higher-Order Rule"
27 ]
28timestamp_override = "event.ingested"
29type = "new_terms"
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[rule.threat.tactic]
38id = "TA0007"
39name = "Discovery"
40reference = "https://attack.mitre.org/tactics/TA0007/"
41
42[rule.new_terms]
43field = "new_terms_fields"
44value = ["host.id", "user.id", "process.executable"]
45
46[[rule.new_terms.history_window_start]]
47field = "history_window_start"
48value = "now-14d"
Related rules
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Account Configured with Never-Expiring Password
- AdminSDHolder Backdoor
- Temporarily Scheduled Task Creation
- Anomalous Process For a Windows Population