From 876d8166bbad9b5af3683f8461d30eeed1e0df45 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 19 Nov 2025 11:12:11 +0000 Subject: [PATCH 1/5] Create multiple_alerts_email_elastic_defend_correlation.toml --- ...erts_email_elastic_defend_correlation.toml | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml new file mode 100644 index 00000000000..7d284649807 --- /dev/null +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -0,0 +1,81 @@ +[metadata] +creation_date = "2025/11/19" +maturity = "production" +updated_date = "2025/11/19" + +[rule] +author = ["Elastic"] +description = """ +This rule correlate any Elastic Defend alert with an email security related alert by target user name. This may indicate +the successful execution of a phishing attack. +""" +from = "now-1h" +interval = "45m" +language = "esql" +license = "Elastic License v2" +name = "Elastic Defend and Email Alerts Correlation" +risk_score = 73 +rule_id = "c562a800-cf97-464e-9d6f-84db91e86e10" +severity = "high" +tags = [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Use Case: Email Security", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-* metadata _id +// Email or Elastic Defend alerts where user name is populated +| where + (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or + (event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null) + +// extract target user name from email and endpoint alerts +| eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null), + elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null) +| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name) +| where Esql.target_user_name is not null + +// group by Esql.target_user_name +| stats Esql.alerts_count = COUNT(*), + Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), + Esql.event_module_values = VALUES(event.module), + Esql.message_values = VALUES(message), + Esql.event_action_values = VALUES(event.action), + Esql.process_executable_values = VALUES(process.executable), + Esql.host_id_values = VALUES(host.id), + Esql.source_user_name = VALUES(source.user.name), + Esql.rule_name_values = VALUES(rule.name) + by Esql.target_user_name +// alert when same user is observed in an endpoint and email alert +| where Esql.event_module_distinct_count >= 2 +| keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values +''' +note = """## Triage and analysis +### Investigating Elastic Defend and NG-Firewall Alerts Correlation +This rule correlate any Elastic Defend alert with suspicious events from Next-Gen Firewall like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip. +### Possible investigation steps +- Review the alert details to identify the specific host and users involved. +- Investiguate the network alerts by destination.ip and message. +- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used. +- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context. +- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network. +- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity. +### False positive analysis +- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance. +- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise. +- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening. +- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score. +- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities. +### Response and remediation +- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary. +- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved. +- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated. +- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks. +- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. +- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. +- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" From f787d3d22d4c7853997886ec91c8eca843a8eb8c Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 19 Nov 2025 11:23:35 +0000 Subject: [PATCH 2/5] Update multiple_alerts_email_elastic_defend_correlation.toml --- ...erts_email_elastic_defend_correlation.toml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index 7d284649807..ed59c1ac9a6 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -56,26 +56,26 @@ from logs-* metadata _id | keep Esql.alerts_count, Esql.event_module_values, Esql.host_id_values, Esql.source_user_name, Esql.target_user_name, Esql.message_values, Esql.rule_name_values, Esql.event_action_values ''' note = """## Triage and analysis -### Investigating Elastic Defend and NG-Firewall Alerts Correlation -This rule correlate any Elastic Defend alert with suspicious events from Next-Gen Firewall like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip. +### Investigating Elastic Defend and Email Alerts Correlation + +This rule correlate any Elastic Defend alert with an email security related alert by target user name. + ### Possible investigation steps - Review the alert details to identify the specific host and users involved. -- Investiguate the network alerts by destination.ip and message. -- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used. +- Investiguate the individual alerts for the target user name and see if they are related. +- Review all emails received from Esql.source_user_name and if there are other impacted users. - Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context. -- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network. - Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity. + ### False positive analysis -- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance. -- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise. -- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening. -- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score. -- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities. +- Legitimate email marked as suspicious. +- Legitimate file or behavior marked as suspicious by Elastic Defend. +- Unrelated alerts where the target user name is too generic. + ### Response and remediation - Isolate the affected host from the network immediately to prevent further lateral movement by the adversary. -- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved. +- Conduct a thorough forensic analysis of the host. - Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated. -- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks. - Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. - Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. - Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" From e34b5e37d3b403383ed8ac070335ad18263330e0 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 19 Nov 2025 11:25:12 +0000 Subject: [PATCH 3/5] Update multiple_alerts_email_elastic_defend_correlation.toml --- .../multiple_alerts_email_elastic_defend_correlation.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index ed59c1ac9a6..d9ce38277be 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -22,7 +22,8 @@ tags = [ "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Use Case: Email Security", + "Domain: Email", + "Domain: Endpoint" ] timestamp_override = "event.ingested" type = "esql" From 741c0ff371b5e5f05777f13d2f9c1be2c36b149c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:28:04 +0000 Subject: [PATCH 4/5] Update rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../multiple_alerts_email_elastic_defend_correlation.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index d9ce38277be..74519fc027e 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -63,7 +63,7 @@ This rule correlate any Elastic Defend alert with an email security related aler ### Possible investigation steps - Review the alert details to identify the specific host and users involved. -- Investiguate the individual alerts for the target user name and see if they are related. +- Investigate the individual alerts for the target user name and see if they are related. - Review all emails received from Esql.source_user_name and if there are other impacted users. - Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context. - Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity. From f32db08b77f8c7be63ef19ed263fb9db43037116 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 19 Nov 2025 11:28:09 +0000 Subject: [PATCH 5/5] Update multiple_alerts_email_elastic_defend_correlation.toml --- .../multiple_alerts_email_elastic_defend_correlation.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index d9ce38277be..61d5c768d76 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -6,7 +6,7 @@ updated_date = "2025/11/19" [rule] author = ["Elastic"] description = """ -This rule correlate any Elastic Defend alert with an email security related alert by target user name. This may indicate +This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate the successful execution of a phishing attack. """ from = "now-1h" @@ -59,7 +59,7 @@ from logs-* metadata _id note = """## Triage and analysis ### Investigating Elastic Defend and Email Alerts Correlation -This rule correlate any Elastic Defend alert with an email security related alert by target user name. +This rule correlates any Elastic Defend alert with an email security related alert by target user name. ### Possible investigation steps - Review the alert details to identify the specific host and users involved.