{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/siem/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SIEM"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule","elastic-siem"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies high-severity alerts within Elastic SIEM that are observed for the first time within a 5-day window. The rule focuses on low-volume, newly observed alerts linked to a specific detection rule. By highlighting these novel alerts, analysts can more effectively prioritize their triage and incident response efforts. This allows security teams to focus on potentially new or evolving threats, rather than being overwhelmed by repeated alerts from well-known attack patterns. The rule aims to reduce alert fatigue and improve the speed and accuracy of threat detection and response. The logic excludes threat_match, machine_learning, and new_terms rule types to minimize noisy alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious activity occurs on an endpoint or within a network, triggering an Elastic SIEM detection rule with a high severity score (\u0026gt;=73).\u003c/li\u003e\n\u003cli\u003eThe Elastic SIEM generates a security alert based on the triggered detection rule. This alert includes details about the event, the affected host, user, and the rule that was triggered.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Newly Observed High Severity Detection Alert\u0026rdquo; rule, running every 5 minutes, queries the \u003ccode\u003e.alerts-security.*\u003c/code\u003e indices.\u003c/li\u003e\n\u003cli\u003eThe rule filters for alerts that meet specific criteria such as high risk score, excluding certain rule types like \u0026ldquo;threat_match\u0026rdquo;, \u0026ldquo;machine_learning\u0026rdquo;, and \u0026ldquo;new_terms\u0026rdquo;, and excluding endpoint alerts.\u003c/li\u003e\n\u003cli\u003eThe rule aggregates alerts by \u003ccode\u003ekibana.alert.rule.name\u003c/code\u003e to identify distinct alerts and calculates the first and last time each alert was observed.\u003c/li\u003e\n\u003cli\u003eThe rule determines if the alert is newly observed, defined as the first time it was seen within the last 10 minutes of the rule execution time. This helps filter out alerts that have been occurring for a longer period.\u003c/li\u003e\n\u003cli\u003eThe rule further filters for alerts affecting a single agent (\u003ccode\u003eagent_id_distinct_count == 1\u003c/code\u003e) and low alert counts (\u003ccode\u003ealerts_count \u0026lt;= 10\u003c/code\u003e), indicating a potentially novel or isolated incident.\u003c/li\u003e\n\u003cli\u003eThe final output highlights the newly observed, low-frequency, high-severity alert, allowing security analysts to investigate and respond accordingly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leading to a newly observed high severity alert could indicate a novel or evolving threat that has not been previously seen in the environment. This can lead to a delayed response, potentially allowing the attacker to further compromise systems, exfiltrate data, or cause damage. The impact depends on the specific activity that triggered the underlying high severity alert, but could range from initial access to data breach or ransomware deployment. Failure to prioritize investigation of these new alerts can result in significant financial loss, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNewly Observed High Severity Detection Alert\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eInvestigation Steps\u003c/code\u003e outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field as a guide to triage newly observed alerts.\u003c/li\u003e\n\u003cli\u003eReview the specific rule investiguation guide for further actions, as referenced in the original Elastic rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eConfigure alerting to notify security analysts immediately upon detection of a \u003ccode\u003eNewly Observed High Severity Detection Alert\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-newly-observed-high-severity-detection-alert/","summary":"This rule detects newly observed, low-frequency, high-severity Elastic SIEM detection alerts affecting a single agent, helping prioritize triage and response by highlighting alerts tied to specific detection rules that have not been seen previously for the host.","title":"Newly Observed High Severity Detection Alert in Elastic SIEM","url":"https://feed.craftedsignal.io/briefs/2024-01-newly-observed-high-severity-detection-alert/"}],"language":"en","title":"CraftedSignal Threat Feed — SIEM","version":"https://jsonfeed.org/version/1.1"}