« Update v8.19.21 Configure endpoint protection with Elastic Defend »
Elastic Docs Elastic Security [8.19] Detections and alerts Downloadable rule updates

Update v8.19.22

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Update v8.19.22

edit

This section lists all updates associated with version 8.19.22 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Multiple Alerts Involving a User

This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.

update

9

Alerts in Different ATT&CK Tactics by Host

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered and where the accumulated risk score is higher than a defined threshold. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

update

5

Multiple Alerts in Same ATT&CK Tactic by Host

This rule correlates multiple security alerts associated with the same ATT&CK tactic on a single host within a defined time window. By requiring alerts from multiple distinct detection rules, this detection helps identify hosts exhibiting concentrated malicious behavior, which may indicate an active intrusion or post-compromise activity. The rule is intended to assist analysts in prioritizing triage toward hosts with higher likelihood of compromise rather than signaling a single discrete event.

update

5

Multiple External EDR Alerts by Host

This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

update

5

Newly Observed High Severity Detection Alert

This rule detects Elastic SIEM high severity detection alerts that are observed for the first time in the previous 5 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use this to prioritize triage and response.

update

6

Okta Alerts Following Unusual Proxy Authentication

Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.

update

3
« Update v8.19.21 Configure endpoint protection with Elastic Defend »