Elastic Security Detection Rules

Multiple Elastic Defend Alerts from a Single Process Tree

Last updated a month ago on 2025-12-31
Created a month ago on 2025-12-31

About

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Tags
Use Case: Threat DetectionRule Type: Higher-Order RuleData Source: Elastic DefendLanguage: esql
Severity
high
Risk Score
73
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(external, opens in a new tab or window)

Query
text code block:
from logs-endpoint.alerts-*

// process.Ext.ancestry is an array of all unique process IDs ancestors of the alert actor process ID
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread", "behavior") and
        agent.id is not null and not rule.name in ("Multi.EICAR.Not-a-virus") and process.Ext.ancestry is not null

// aggregate alerts by process.Ext.ancestry and agent.id
| stats Esql.alerts_count = COUNT(*),
        Esql.rule_name_distinct_count = COUNT_DISTINCT(rule.name),
        Esql.event_code_distinct_count = COUNT_DISTINCT(event.code),
        Esql.process_id_distinct_count = COUNT_DISTINCT(process.entity_id),
        Esql.message_values = VALUES(message),
        Esql.user_name_values = VALUES(user.name),
        Esql.threat_tactic_name_values = VALUES(threat.tactic.name),
        Esql.threat_technique_name_values = VALUES(threat.technique.name),
        Esql.process_command_line_values = VALUES(process.command_line),
        Esql.process_parent_executable_values = values(process.parent.executable),
        Esql.file_path_values = VALUES(file.path),
        Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
        Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
        Esql.dns_question_name_values = VALUES(dns.question.name) by process.Ext.ancestry, agent.id

// filter for at least 3 unique process IDs and 2 or more alert types or rule names.
| where Esql.process_id_distinct_count >= 3 and (Esql.rule_name_distinct_count >= 2 or Esql.event_code_distinct_count >= 2)

// keep unique values
| stats Esql.alert_names = values(Esql.message_values),
        Esql.alerts_process_cmdline_values = VALUES(Esql.process_command_line_values),
        Esql.alerts_user_names = VALUES(Esql.user_name_values),
        Esql.alerts_mitre_tactics = values(Esql.threat_tactic_name_values),
        Esql.alerts_mitre_techniques = VALUES(Esql.threat_technique_name_values),
        Esql.alerts_process_parent_executable = values(Esql.process_parent_executable_values),
        Esql.alerts_file_paths = VALUES(Esql.file_path_values),
        Esql.alerts_file_hash_sha256 = VALUES(Esql.file_hash_sha256_values),
        Esql.alerts_process_hash_sha256 = VALUES(Esql.process_hash_sha256_values),
        Esql.alerts_dns_question_names = VALUES(Esql.dns_question_name_values) by agent.id
| keep Esql.*, agent.id

Install detection rules in Elastic Security

Detect Multiple Elastic Defend Alerts from a Single Process Tree in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).