Elastic Defend Alert Followed by Telemetry Loss

Last updated 15 days ago on 2026-02-10
Created 15 days ago on 2026-02-10

About

Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.
Tags
Domain: EndpointData Source: Elastic DefendUse Case: Threat DetectionTactic: Defense EvasionTactic: ExecutionRule Type: Higher-Order RuleLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CKβ„’

Defense Evasion (TA0005)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

False Positive Examples
Misconfiguration, system reboot, network issues or expected uninstall of the Elastic Defend agent.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by host.id with maxspan=5m [any where event.dataset == "endpoint.alerts"] ![any where event.category in ("process", "library", "registry", "network", "dns")]

Install detection rules in Elastic Security

Detect Elastic Defend Alert Followed by Telemetry Loss in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).