Elastic Security Detection Rules

Elastic Defend Alert from GenAI Utility or Descendant

Last updated 16 days ago on 2026-02-27
Created 16 days ago on 2026-02-27

About

Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process or its direct parent is a GenAI coding or assistant utility (e.g. Cursor, Claude, Windsurf, Cody, Continue, Aider, OpenClaw, Moltbot, Clawdbot, Codeium, Tabnine, GitHub Copilot). Activity from these tools can indicate prompt injection, malicious skills, or supply-chain abuse; this Higher-Order rule helps prioritize such alerts for triage.
Tags
Domain: EndpointDomain: LLMUse Case: Threat DetectionTactic: Initial AccessRule Type: Higher-Order RuleData Source: Elastic DefendLanguage: esql
Severity
critical
Risk Score
99
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Supply Chain Compromise (T1195)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(external, opens in a new tab or window)

Query
text code block:
FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _version, _index 
| EVAL is_genai_spawn =  TO_LOWER(process.parent.name) IN (
        "claude", "claude.exe", "cursor", "cursor.exe", "cursor helper", "cursor helper (plugin)",
        "codex", "codex.exe", "cody", "cody.exe", "copilot", "copilot.exe", "gemini-cli", "gemini-cli.exe",
        "openai", "openai.exe", "ollama", "ollama.exe", "llm", "llm.exe",
        "aider", "aider.exe", "cline", "cline.exe", "continue", "continue.exe",
        "zed", "zed.exe", "windsurf", "windsurf.exe",
        "tabnine", "tabnine.exe", "codeium", "codeium.exe", "bolt", "bolt.exe",
        "devin", "devin.exe", "replit", "replit.exe", "ghostwriter", "ghostwriter.exe", "bito", "bito.exe"
    ),
     is_openclaw_spawn = process.parent.name in ("node", "node.exe") and (process.parent.command_line like "*openclaw*" or process.parent.command_line like "*moltbot*" or process.parent.command_line like "*clawdbot*")
| WHERE process.Ext.ancestry IS NOT NULL and 
   (event.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn)
// Identify GenAI tool spawn events and capture their entity_ids
| EVAL genai_entity_id = CASE(is_genai_spawn or is_openclaw_spawn, process.parent.entity_id, NULL)

// Collect ALL GenAI entity_ids globally across the dataset
| INLINE STATS 
    all_genai_entity_ids = VALUES(genai_entity_id) WHERE genai_entity_id IS NOT NULL
// Find which GenAI entity_ids appear in this process's ancestry
| EVAL Esql.genai_ancestor_ids = MV_INTERSECTION(all_genai_entity_ids, process.Ext.ancestry)

// Elastic Defend alerts from a GenAI grandparent 
| WHERE Esql.genai_ancestor_ids IS NOT NULL 
        AND event.dataset == "endpoint.alerts" AND not rule.name in (
            "Persistence via GenAI Tool",
            "Code Editor Untrusted or Unsigned Child Process Execution",
            "Suspicious Credential Access via GenAI Tool",
            "Credential Access via GenAI Tool Descendant"
        )

| KEEP *

Install detection rules in Elastic Security

Detect Elastic Defend Alert from GenAI Utility or Descendant in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).