from logs-endpoint.alerts-* metadata _id
| eval target_time_window = DATE_TRUNC(24 hours, @timestamp)
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread", "behavior") and
agent.id is not null and not rule.name in ("Multi.EICAR.Not-a-virus")
| stats Esql.alerts_count = COUNT(*),
Esql.event_code_distinct_count = count_distinct(event.code),
Esql.rule_name_distinct_count = COUNT_DISTINCT(rule.name),
Esql.file_hash_distinct_count = COUNT_DISTINCT(file.hash.sha256),
Esql.process_name_distinct_count = COUNT_DISTINCT(process.entity_id),
Esql.event_code_values = VALUES(event.code),
Esql.rule_name_values = VALUES(rule.name),
Esql.message_values = VALUES(message),
Esql.file_path_values = VALUES(file.path),
Esql.dll_path_values = VALUES(dll.path),
Esql.process_executable_values = VALUES(process.executable),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
Esql.dll_hash_sha256_values = VALUES(dll.hash.sha256) by agent.id
| where (Esql.event_code_distinct_count >= 2 or Esql.rule_name_distinct_count >= 3 or Esql.file_hash_distinct_count >= 2)
| keep agent.id,
Esql.alerts_count,
Esql.event_code_distinct_count,
Esql.rule_name_distinct_count,
Esql.message_values,
Esql.event_code_values,
Esql.rule_name_values,
Esql.process_executable_values,
Esql.process_parent_executable_values,
Esql.process_command_line_values,
Esql.file_path_values,
Esql.dll_path_values,
Esql.process_hash_sha256_values,
Esql.file_hash_sha256_values,
Esql.dll_hash_sha256_values
Install detection rules in Elastic Security
Detect Multiple Elastic Defend Alerts by Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).