Loading

Elastic Defend Alert Followed by Telemetry Loss

Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.

Rule type: eql
Rule indices:

  • logs-endpoint.*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • Data Source: Elastic Defend
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Tactic: Execution
  • Rule Type: Higher-Order Rule
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

This rule identifies situations where an Elastic Defend alert is generated on a host and is not followed by any normal endpoint activity events within a short time window. This may indicate agent tampering, sensor disablement, host shutdown, system crash, or defense evasion behavior.

  • Review the original endpoint.alert event and identify the detection that triggered the alert.
  • Check the host’s online status, uptime, and reboot history.
  • Verify the health and status of the Elastic Defend agent and related services.
  • Look for evidence of agent tampering, service stops, or security control modifications.
  • Correlate with activity immediately preceding the alert for signs of exploitation or evasion.
  • Determine if similar alert → silence patterns are occurring on other hosts.
  • Legitimate system reboots or shutdowns
  • Network connectivity loss
  • Elastic Agent upgrades or restarts
  • Endpoint service crashes
  • Maintenance or IT operations
  • Validate host and agent availability.
  • Reconnect or re-enroll the agent if telemetry is missing.
  • Isolate the host if malicious activity is suspected.
  • Investigate for security control tampering.
  • Perform broader environment hunting for similar patterns.
sequence by host.id with maxspan=5m
 [any where event.dataset == "endpoint.alerts"]
 ![any where event.category in ("process", "library", "registry", "network", "dns")]

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK