Elastic Defend Alert Followed by Telemetry Loss
editElastic Defend Alert Followed by Telemetry Loss
editDetects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.
Rule type: eql
Rule indices:
- logs-endpoint.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- Data Source: Elastic Defend
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Tactic: Execution
- Rule Type: Higher-Order Rule
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Elastic Defend Alert Followed by Telemetry Loss
This rule identifies situations where an Elastic Defend alert is generated on a host and is not followed by any normal endpoint activity events within a short time window. This may indicate agent tampering, sensor disablement, host shutdown, system crash, or defense evasion behavior.
Possible investigation steps
-
Review the original
endpoint.alertevent and identify the detection that triggered the alert. - Check the host’s online status, uptime, and reboot history.
- Verify the health and status of the Elastic Defend agent and related services.
- Look for evidence of agent tampering, service stops, or security control modifications.
- Correlate with activity immediately preceding the alert for signs of exploitation or evasion.
- Determine if similar alert → silence patterns are occurring on other hosts.
False positive analysis
- Legitimate system reboots or shutdowns
- Network connectivity loss
- Elastic Agent upgrades or restarts
- Endpoint service crashes
- Maintenance or IT operations
Response and remediation
- Validate host and agent availability.
- Reconnect or re-enroll the agent if telemetry is missing.
- Isolate the host if malicious activity is suspected.
- Investigate for security control tampering.
- Perform broader environment hunting for similar patterns.
Rule query
editsequence by host.id with maxspan=5m
[any where event.dataset == "endpoint.alerts"]
![any where event.category in ("process", "library", "registry", "network", "dns")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/
-
Sub-technique:
- Name: Malicious File
- ID: T1204.002
- Reference URL: https://attack.mitre.org/techniques/T1204/002/