New

The executive guide to generative AI

Read more

Potential Widespread Malware Infection Across Multiple Hosts

edit

Potential Widespread Malware Infection Across Multiple Hosts

edit

This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • Data Source: Elastic Defend
  • Use Case: Threat Detection
  • Tactic: Execution
  • Rule Type: Higher-Order Rule

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
from logs-endpoint.alerts-*
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
| keep host.id, rule.name, event.code
| stats hosts = count_distinct(host.id) by rule.name, event.code
| where hosts >= 3

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback