text code block:from logs-endpoint.alerts-* | WHERE event.code == "behavior" and rule.name is not null | STATS Esql.alerts_count = count(*), Esql.first_time_seen = MIN(@timestamp), Esql.last_time_seen = MAX(@timestamp), Esql.agents_distinct_count = COUNT_DISTINCT(agent.id), Esql.process_executable = VALUES(process.executable), Esql.process_parent_executable = VALUES(process.parent.executable), Esql.process_command_line = VALUES(process.command_line), Esql.process_hash_sha256 = VALUES(process.hash.sha256), Esql.host_id = VALUES(host.id), Esql.user_name = VALUES(user.name) by rule.name // first time seen in the last 5 days - defined in the rule schedule Additional look-back time | eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now()) // first time seen is within 10m of the rule execution time | where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen) | keep rule.name, Esql.*
Install detection rules in Elastic Security
Detect Newly Observed Elastic Defend Behavior Alert in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).