Elastic Defend Alert Followed by Telemetry Loss
This rule detects when an Elastic Defend endpoint alert is generated and is not followed by subsequent endpoint telemetry events, potentially indicating endpoint security evasion, agent tampering, or sensor disablement.
This detection rule, sourced from Elastic's detection-rules repository (version as of March 23, 2026), identifies instances where an Elastic Defend endpoint alert is triggered but not followed by any endpoint telemetry events (process, network, registry, library, or DNS) within a 5-minute window. This absence of subsequent telemetry raises concerns about potential security breaches. This behavior may indicate threat actors trying to tamper with the agent. This could also indicate the host was shut down or crashed as a result of the alert. Defenders should investigate these alerts promptly to ensure the integrity of their endpoint security and investigate the possibility of defense evasion.
Attack Chain
- Initial Access: A user executes a malicious file (T1204.002), bypassing initial defenses.
- Elastic Defend Alert: The malicious activity triggers an alert within the Elastic Defend endpoint security solution.
- Defense Evasion: The attacker attempts to disable or modify security tools (T1562.001) to prevent further detection.
- Telemetry Disruption: The attacker successfully disrupts telemetry collection by tampering with the Elastic Defend agent or related services.
- Data Obfuscation: With telemetry disabled, the attacker can perform further malicious actions without generating logs or alerts.
- Lateral Movement: The attacker moves laterally to other systems on the network, exploiting the compromised endpoint as a foothold.
- Objective Execution: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system compromise.
Impact
A successful attack leading to telemetry loss can severely impair incident response capabilities. Without endpoint telemetry, security teams are blind to attacker activities, making it difficult to investigate breaches, contain damage, and eradicate threats. Depending on the attacker's objective, the impact can range from data theft and financial loss to complete system compromise and business disruption. This can affect any organization using Elastic Defend.
Recommendation
- Deploy the Sigma rule "Elastic Defend Alert Followed by Telemetry Loss" to your SIEM and tune for your environment.
- Investigate any alerts generated by the "Elastic Defend Alert Followed by Telemetry Loss" Sigma rule, prioritizing hosts with critical assets or sensitive data.
- Review and harden endpoint security configurations to prevent tampering with the Elastic Defend agent (reference T1562.001).
- Implement network segmentation and access controls to limit lateral movement from compromised endpoints.
- Monitor Elastic Defend agent health and status to detect any signs of tampering or disablement.
Detection coverage 2
Elastic Defend Alert Followed by Telemetry Loss
highDetects when an Elastic Defend alert is generated on a host and is not followed by any subsequent endpoint telemetry events within a short time window, potentially indicating defense evasion.
Potential Elastic Agent Tampering via Service Stop
mediumDetects attempts to stop the Elastic Agent service, potentially indicating an attempt to disable endpoint telemetry.
Detection queries are available on the platform. Get full rules →