|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/19" |
| 3 | +maturity = "production" |
| 4 | +updated_date = "2025/11/19" |
| 5 | + |
| 6 | +[rule] |
| 7 | +author = ["Elastic"] |
| 8 | +description = """ |
| 9 | +This rule correlate any Elastic Defend alert with an email security related alert by target user name. This may indicate |
| 10 | +the successful execution of a phishing attack. |
| 11 | +""" |
| 12 | +from = "now-1h" |
| 13 | +interval = "45m" |
| 14 | +language = "esql" |
| 15 | +license = "Elastic License v2" |
| 16 | +name = "Elastic Defend and Email Alerts Correlation" |
| 17 | +risk_score = 73 |
| 18 | +rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10" |
| 19 | +severity = "high" |
| 20 | +tags = [ |
| 21 | + "Use Case: Threat Detection", |
| 22 | + "Rule Type: Higher-Order Rule", |
| 23 | + "Resources: Investigation Guide", |
| 24 | + "Data Source: Elastic Defend", |
| 25 | + "Use Case: Email Security", |
| 26 | +] |
| 27 | +timestamp_override = "event.ingested" |
| 28 | +type = "esql" |
| 29 | + |
| 30 | +query = ''' |
| 31 | +from logs-* metadata _id |
| 32 | +// Email or Elastic Defend alerts where user name is populated |
| 33 | +| where |
| 34 | + (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or |
| 35 | + (event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null) |
| 36 | +
|
| 37 | +// extract target user name from email and endpoint alerts |
| 38 | +| eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null), |
| 39 | + elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null) |
| 40 | +| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name) |
| 41 | +| where Esql.target_user_name is not null |
| 42 | +
|
| 43 | +// group by Esql.target_user_name |
| 44 | +| stats Esql.alerts_count = COUNT(*), |
| 45 | + Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), |
| 46 | + Esql.event_module_values = VALUES(event.module), |
| 47 | + Esql.message_values = VALUES(message), |
| 48 | + Esql.event_action_values = VALUES(event.action), |
| 49 | + Esql.process_executable_values = VALUES(process.executable), |
| 50 | + Esql.host_id_values = VALUES(host.id), |
| 51 | + Esql.source_user_name = VALUES(source.user.name), |
| 52 | + Esql.rule_name_values = VALUES(rule.name) |
| 53 | + by Esql.target_user_name |
| 54 | +// alert when same user is observed in an endpoint and email alert |
| 55 | +| where Esql.event_module_distinct_count >= 2 |
| 56 | +| keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values |
| 57 | +''' |
| 58 | +note = """## Triage and analysis |
| 59 | +### Investigating Elastic Defend and NG-Firewall Alerts Correlation |
| 60 | +This rule correlate any Elastic Defend alert with suspicious events from Next-Gen Firewall like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip. |
| 61 | +### Possible investigation steps |
| 62 | +- Review the alert details to identify the specific host and users involved. |
| 63 | +- Investiguate the network alerts by destination.ip and message. |
| 64 | +- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used. |
| 65 | +- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context. |
| 66 | +- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network. |
| 67 | +- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity. |
| 68 | +### False positive analysis |
| 69 | +- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance. |
| 70 | +- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise. |
| 71 | +- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening. |
| 72 | +- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score. |
| 73 | +- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities. |
| 74 | +### Response and remediation |
| 75 | +- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary. |
| 76 | +- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved. |
| 77 | +- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated. |
| 78 | +- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks. |
| 79 | +- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. |
| 80 | +- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. |
| 81 | +- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" |
0 commit comments