{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/higher-order-rule/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["threat-detection","higher-order-rule","elastic-defend"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis Elastic Defend rule is designed to detect potentially compromised hosts by identifying those that trigger multiple distinct and rare behavior rules. The rule leverages Elastic\u0026rsquo;s ESQL to analyze endpoint alerts, focusing on behavior rules that are observed on only a single host globally within a specified lookback window. This approach filters out common or widely triggered rules, reducing false positives and highlighting truly anomalous behavior. The rule aims to pinpoint hosts exhibiting unusual activity patterns that may indicate malicious actions, warranting immediate investigation and response. This detection method became generally available in Elastic Stack version 9.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through an unknown vector.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to elevate privileges on the compromised host.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes malicious code or commands via a script or binary.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker attempts to evade detection by disabling security tools or masking their activities.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker attempts to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes a command and control channel to communicate with a remote server.\u003c/li\u003e\n\u003cli\u003eCollection: The attacker gathers sensitive data from the compromised host or network.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their final objective, which could include data exfiltration, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, system compromise, and operational disruption. The targeted sectors are broad, as the rule is designed to detect general anomalous behavior. Depending on the attacker\u0026rsquo;s objectives, the impact could range from data theft and financial loss to complete system shutdown and reputational damage. Hosts identified by this rule should be considered high-priority candidates for incident response and further investigation. The number of victims is dependent on the scope of the intrusion, but this detection aims to limit the spread of the attack by identifying compromised hosts early.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided ESQL rule to your Elastic environment (min. version 9.3.0) to detect hosts triggering multiple rare behavior alerts as indicated by the rule_id \u003ccode\u003ec4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any hosts flagged by this rule, reviewing the associated behavior rule names and process command lines to understand the triggering actions as documented in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExamine endpoint and network data for the affected host to assess the scope of the compromise and potential persistence mechanisms, per the investigation guidance in the \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDocument and exclude known-good rule names or hosts from the detection if legitimate single-host tools or scripts trigger multiple rare behavior rules as described in the \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all endpoints to ensure the availability of the required \u003ccode\u003eendpoint.alerts\u003c/code\u003e data source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-multiple-rare-defend-rules/","summary":"This rule identifies hosts triggering multiple distinct, globally rare Elastic Defend behavior rules, increasing the likelihood of detecting compromised hosts while reducing false positives.","title":"Multiple Rare Elastic Defend Behavior Rules Triggered on Single Host","url":"https://feed.craftedsignal.io/briefs/2026-04-multiple-rare-defend-rules/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, created by Elastic, is designed to identify potentially compromised hosts by aggregating alert data. It focuses on scenarios where a single host triggers multiple alerts associated with different phases of an attack, as defined by the ATT\u0026amp;CK framework. The rule calculates a risk score based on the number and severity of alerts, prioritizing hosts exceeding a defined threshold. By focusing on hosts exhibiting diverse attack tactics, analysts can more effectively triage and respond to complex, multi-stage intrusions. This rule helps filter out noisy alerts such as \u0026ldquo;Agent Spoofing\u0026rdquo;, \u0026ldquo;Compression DLL Loaded by Unusual Process\u0026rdquo;, and \u0026ldquo;Potential PrintNightmare File Modification\u0026rdquo;, and focuses on alerts where \u003ccode\u003ekibana.alert.risk_score\u003c/code\u003e is greater than 0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to a host through various methods.\u003c/li\u003e\n\u003cli\u003eThe adversary executes malicious code or commands on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain access.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to escalate privileges to gain higher-level control.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement to compromise other systems.\u003c/li\u003e\n\u003cli\u003eThe adversary gathers information about the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack, as identified by this rule, can lead to significant data breaches, system compromise, and operational disruption. Multiple alerts across various tactics suggest a sophisticated and persistent attacker. Prioritizing hosts identified by this rule enables security teams to quickly contain and remediate advanced threats, minimizing potential damage and reducing the overall impact on the organization. Without this detection, analysts might miss critical correlations between seemingly isolated alerts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to identify potentially compromised hosts based on multiple alerts across different ATT\u0026amp;CK tactics.\u003c/li\u003e\n\u003cli\u003eInvestigate any hosts flagged by this rule, correlating the alert data with other logs and telemetry to understand the full scope of the attack.\u003c/li\u003e\n\u003cli\u003eTune the threshold values in the Sigma rule (distinct rule count, tactic count, risk score) to align with your environment and risk tolerance.\u003c/li\u003e\n\u003cli\u003eEnable logging for process creation, network connections, and file modifications on all hosts to provide sufficient data for the detection rule.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s documentation to identify and exclude known benign activities that may trigger the rule.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eEsql.kibana_alert_rule_name_values\u003c/code\u003e field in the rule output to quickly identify the specific alert types triggering the rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-multiple-alerts-risky-host/","summary":"This rule uses alert data to identify hosts with multiple alerts across different ATT\u0026CK tactics, indicating a higher likelihood of compromise and enabling analysts to prioritize triage and response based on accumulated risk score.","title":"Multiple Alerts in Different ATT\u0026CK Tactics by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-alerts-risky-host/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic\u0026rsquo;s detection ruleset, is designed to identify potential user account compromises by aggregating and analyzing existing alert data. The rule focuses on scenarios where a single user triggers multiple distinct alerts, suggesting a higher likelihood of malicious activity. By excluding low-severity alerts and known system accounts, the rule aims to minimize false positives and prioritize investigations. This approach is particularly useful in environments where attackers may attempt to blend in with normal user activity while escalating privileges or moving laterally within the network. The rule utilizes esql to correlate alerts based on user ID. The rule was last updated on 2026/04/27.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as discovering sensitive files or network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive data, potentially exfiltrating it from the network.\u003c/li\u003e\n\u003cli\u003eThese actions trigger various security alerts related to privilege escalation, lateral movement, and data access.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Multiple Alerts Involving a User\u0026rdquo; rule detects the correlation between these alerts based on the user ID.\u003c/li\u003e\n\u003cli\u003eSecurity analysts are alerted to investigate the compromised user account and contain the potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging a compromised user account can lead to significant data breaches, financial losses, and reputational damage. The impact can range from unauthorized access to sensitive data to the complete takeover of critical systems. By identifying compromised user accounts early, organizations can mitigate the potential damage and prevent further escalation of the attack. This detection rule helps prioritize investigations and ensures that security analysts focus on the most critical threats.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple Alerts Involving a User\u003c/code\u003e to your SIEM to detect potential user account compromises based on correlated alerts.\u003c/li\u003e\n\u003cli\u003eEnable audit logging on systems to capture user activity and generate alerts for suspicious actions.\u003c/li\u003e\n\u003cli\u003eReview and tune the threshold values (e.g., distinct alert count) in the Sigma rule to align with your environment and risk tolerance.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eResources: Investigation Guide\u003c/code\u003e tag to access guidance on investigating triggered alerts and identifying compromised user accounts.\u003c/li\u003e\n\u003cli\u003eImplement role-based access control (RBAC) to minimize the impact of compromised accounts by limiting access to sensitive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-multiple-alerts-user/","summary":"This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.","title":"Multiple Alerts Involving a User Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-24-multiple-alerts-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SIEM"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule","elastic-siem"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies high-severity alerts within Elastic SIEM that are observed for the first time within a 5-day window. The rule focuses on low-volume, newly observed alerts linked to a specific detection rule. By highlighting these novel alerts, analysts can more effectively prioritize their triage and incident response efforts. This allows security teams to focus on potentially new or evolving threats, rather than being overwhelmed by repeated alerts from well-known attack patterns. The rule aims to reduce alert fatigue and improve the speed and accuracy of threat detection and response. The logic excludes threat_match, machine_learning, and new_terms rule types to minimize noisy alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious activity occurs on an endpoint or within a network, triggering an Elastic SIEM detection rule with a high severity score (\u0026gt;=73).\u003c/li\u003e\n\u003cli\u003eThe Elastic SIEM generates a security alert based on the triggered detection rule. This alert includes details about the event, the affected host, user, and the rule that was triggered.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Newly Observed High Severity Detection Alert\u0026rdquo; rule, running every 5 minutes, queries the \u003ccode\u003e.alerts-security.*\u003c/code\u003e indices.\u003c/li\u003e\n\u003cli\u003eThe rule filters for alerts that meet specific criteria such as high risk score, excluding certain rule types like \u0026ldquo;threat_match\u0026rdquo;, \u0026ldquo;machine_learning\u0026rdquo;, and \u0026ldquo;new_terms\u0026rdquo;, and excluding endpoint alerts.\u003c/li\u003e\n\u003cli\u003eThe rule aggregates alerts by \u003ccode\u003ekibana.alert.rule.name\u003c/code\u003e to identify distinct alerts and calculates the first and last time each alert was observed.\u003c/li\u003e\n\u003cli\u003eThe rule determines if the alert is newly observed, defined as the first time it was seen within the last 10 minutes of the rule execution time. This helps filter out alerts that have been occurring for a longer period.\u003c/li\u003e\n\u003cli\u003eThe rule further filters for alerts affecting a single agent (\u003ccode\u003eagent_id_distinct_count == 1\u003c/code\u003e) and low alert counts (\u003ccode\u003ealerts_count \u0026lt;= 10\u003c/code\u003e), indicating a potentially novel or isolated incident.\u003c/li\u003e\n\u003cli\u003eThe final output highlights the newly observed, low-frequency, high-severity alert, allowing security analysts to investigate and respond accordingly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leading to a newly observed high severity alert could indicate a novel or evolving threat that has not been previously seen in the environment. This can lead to a delayed response, potentially allowing the attacker to further compromise systems, exfiltrate data, or cause damage. The impact depends on the specific activity that triggered the underlying high severity alert, but could range from initial access to data breach or ransomware deployment. Failure to prioritize investigation of these new alerts can result in significant financial loss, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNewly Observed High Severity Detection Alert\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eInvestigation Steps\u003c/code\u003e outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field as a guide to triage newly observed alerts.\u003c/li\u003e\n\u003cli\u003eReview the specific rule investiguation guide for further actions, as referenced in the original Elastic rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eConfigure alerting to notify security analysts immediately upon detection of a \u003ccode\u003eNewly Observed High Severity Detection Alert\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-newly-observed-high-severity-detection-alert/","summary":"This rule detects newly observed, low-frequency, high-severity Elastic SIEM detection alerts affecting a single agent, helping prioritize triage and response by highlighting alerts tied to specific detection rules that have not been seen previously for the host.","title":"Newly Observed High Severity Detection Alert in Elastic SIEM","url":"https://feed.craftedsignal.io/briefs/2024-01-newly-observed-high-severity-detection-alert/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule","attack"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule correlates multiple security alerts associated with the same ATT\u0026amp;CK tactic on a single host within a defined time window (60 minutes). The purpose of this rule is to identify hosts exhibiting concentrated malicious behavior, which may indicate an active intrusion or post-compromise activity. This allows analysts to prioritize triage towards hosts with a higher likelihood of compromise. The rule specifically excludes noisy tactics such as Discovery, Persistence, and Lateral Movement, focusing instead on tactics like Credential Access, Defense Evasion, Execution, and Command and Control. It requires at least three unique detection rules to trigger, ensuring that the activity is not a single, isolated event. The rule also excludes alerts generated by Machine Learning and Threat Match rules, as well as some noisy rules such as \u0026ldquo;Agent Spoofing - Mismatched Agent ID\u0026rdquo; and \u0026ldquo;Process Termination followed by Deletion\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a host through methods like exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious code on the compromised host, potentially using tools like PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to evade detection by disabling security controls or obfuscating their actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to steal credentials from the compromised host, such as passwords or Kerberos tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation:\u003c/strong\u003e The attacker uses the compromised host to move laterally within the network, potentially targeting other systems or data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from the network or causes damage to systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, financial losses, and reputational damage. By identifying hosts exhibiting multiple alerts related to the same ATT\u0026amp;CK tactic, organizations can proactively respond to potential intrusions before they escalate into more serious incidents. Failure to detect and respond to these types of attacks can result in widespread compromise and significant disruption to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect hosts exhibiting multiple alerts within the same ATT\u0026amp;CK tactic. Tune the rule to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts that trigger the Sigma rule to determine the root cause of the alerts and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and update your existing detection rules to ensure they are effective at detecting the latest threats and tactics.\u003c/li\u003e\n\u003cli\u003eEnable logging for process creation, network connections, and file modifications to provide more visibility into host activity and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eImplement a vulnerability management program to identify and patch vulnerabilities on your systems to prevent attackers from gaining initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-alerts-same-tactic/","summary":"This rule correlates multiple security alerts associated with the same ATT\u0026CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.","title":"Multiple Alerts in Same ATT\u0026CK Tactic by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-alerts-same-tactic/"}],"language":"en","title":"CraftedSignal Threat Feed — Higher-Order-Rule","version":"https://jsonfeed.org/version/1.1"}