{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/use-case-threat-detection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Cloud"],"_cs_severities":["critical"],"_cs_tags":["Domain: Identity","Domain: LLM","Use Case: Threat Detection","Use Case: Identity and Access Audit","Resources: Investigation Guide","Rule Type: Higher-Order Rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis Elastic Security rule, designed for Elastic Cloud deployments 9.3.0 and later, leverages an Elastic Managed LLM to analyze correlated security alerts and identify potentially compromised user accounts. The rule aggregates alerts associated with a single user, examining patterns, MITRE ATT\u0026amp;CK tactic progression, unusual geographic locations, and multi-host activity. The LLM then provides a verdict (compromised, benign, or suspicious) and a confidence score. It aims to reduce analyst workload by surfacing users exhibiting indicators of credential theft or unauthorized access and is intended to be used in conjunction with other detection mechanisms to provide a higher-order analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMultiple security alerts are triggered across various data sources, such as endpoint activity, network traffic, and authentication logs.\u003c/li\u003e\n\u003cli\u003eAlerts are aggregated and correlated by user.name and user.id, filtering out system accounts and noisy rule types.\u003c/li\u003e\n\u003cli\u003eThe rule extracts key alert details, including rule names, threat tactics, techniques, affected hosts, source IPs, and event datasets.\u003c/li\u003e\n\u003cli\u003eAn alert summary is constructed, including the user\u0026rsquo;s name, email, number of alerts, distinct rules triggered, affected hosts, time window, and maximum risk score.\u003c/li\u003e\n\u003cli\u003eThe LLM analyzes the alert summary, considering multi-host activity, credential access alerts, unusual source IPs, and tactic progression.\u003c/li\u003e\n\u003cli\u003eThe LLM provides a verdict (TP, FP, or SUSPICIOUS), a confidence score, and a brief summary explaining the assessment.\u003c/li\u003e\n\u003cli\u003eThe rule filters results to surface only compromised or suspicious accounts with a confidence score above 0.7.\u003c/li\u003e\n\u003cli\u003eECS fields are mapped for timeline visibility and alert exclusion and the analyst is presented with a high-confidence alert.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using compromised credentials can lead to unauthorized access to sensitive data, lateral movement within the network, and potentially data exfiltration or ransomware deployment. This detection rule helps to quickly identify compromised user accounts, allowing security teams to respond promptly and prevent further damage. The rule reduces the amount of time analysts spend manually triaging alerts and helps them prioritize high-risk users based on an LLM\u0026rsquo;s assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that your Elastic Cloud deployment is running version 9.3.0 or later to leverage the ES|QL COMPLETION command with Elastic\u0026rsquo;s managed LLM.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eEsql.summary\u003c/code\u003e field in the generated alerts to understand the LLM\u0026rsquo;s assessment of why the user was flagged.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts where the \u003ccode\u003eEsql.confidence\u003c/code\u003e score is above 0.9, as these indicate strong indicators of compromise.\u003c/li\u003e\n\u003cli\u003eExamine the \u003ccode\u003eEsql.kibana_alert_rule_name_values\u003c/code\u003e and \u003ccode\u003eEsql.kibana_alert_rule_threat_tactic_name_values\u003c/code\u003e to understand which detection rules triggered and what MITRE ATT\u0026amp;CK tactics were observed.\u003c/li\u003e\n\u003cli\u003eUse the provided investigation steps in the rule\u0026rsquo;s note to conduct a thorough investigation, checking for unusual login times, locations, password resets, and MFA changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T17:17:03Z","date_published":"2026-04-28T17:17:03Z","id":"/briefs/2024-05-llm-compromised-user/","summary":"This rule correlates multiple security alerts involving the same user, analyzes them with an LLM, and flags potentially compromised accounts based on MITRE tactics, geographic anomalies, and multi-host activity, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.","title":"LLM-Based Compromised User Triage","url":"https://feed.craftedsignal.io/briefs/2024-05-llm-compromised-user/"}],"language":"en","title":"CraftedSignal Threat Feed — Use Case: Threat Detection","version":"https://jsonfeed.org/version/1.1"}