Unusual Discovery Signal Alert with Unusual Process Executable
This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id and process.executable entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id
10and process.executable entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Executable"
17risk_score = 21
18rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17"
19severity = "low"
20tags = [
21 "Domain: Endpoint",
22 "OS: Windows",
23 "Use Case: Threat Detection",
24 "Tactic: Discovery",
25 "Rule Type: Higher-Order Rule",
26]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511"
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[rule.threat.tactic]
39id = "TA0007"
40name = "Discovery"
41reference = "https://attack.mitre.org/tactics/TA0007/"
42
43[rule.new_terms]
44field = "new_terms_fields"
45value = ["host.id", "user.id", "process.executable"]
46[[rule.new_terms.history_window_start]]
47field = "history_window_start"
48value = "now-14d"
Related rules
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE