Threat Research

Prioritizing Alerts Triage with Higher-Order Detection Rules

Elastic.co
Prioritizing Alerts Triage with Higher-Order Detection Rules

Elastic’s Higher-Order Rules correlate alerts across entities, data sources, and time windows to surface higher-confidence detections and reduce triage noise. This approach enriches endpoint alerts with network and observability telemetry (examples: Elastic Defend, Palo Alto/ FortiGate, Suricata) to catch complex activity like the XZ Utils backdoor incident and improve prioritization. #XZUtils #ElasticDefend

Keypoints

  • Higher-Order Rules (HOR) correlate alerts with alerts or alerts with additional telemetry (events, metrics, contextual data) rather than detecting a single behavior.
  • Three core design principles: entity-based correlation (host, user, IP, process), cross–data source visibility (endpoint, network, email, observability), and time/prevalence awareness (first-seen and rarity logic).
  • HOR patterns include correlation (multiple related alerts), newly observed (first-seen/rare alerts within a lookback), and hybrid rules combining both approaches.
  • Endpoint-only HORs aggregate multiple Elastic Defend alerts or alerts within a process tree to raise confidence and reduce false positives from noisy endpoint telemetry.
  • Cross-domain HORs join endpoint and network alerts (host.ip ↔ source.ip) and can link Suricata/PANW/FortiGate alerts to the originating process and user for richer context.
  • Observability correlation pairs security alerts with metrics (e.g., sustained high CPU) to surface activity like cryptominers or backdoors that first appear as performance anomalies.
  • Operational trade-offs include scheduling latency, dependence on base rule quality (noisy atomic rules cascade false positives), and ES|QL query cost—recommend tuning base rules, scoping indices, and starting small.

MITRE Techniques

  • [T0000 ] No specific ATT&CK technique IDs were explicitly named – The article references ATT&CK-aligned groupings and tactics (e.g., lateral movement, command and control) but does not list technique IDs. [‘ATT&CK-aligned groupings (single or multi-tactic activity)’ ; ‘lateral movement patterns (for example, alert_1 host.ip = alert_2 source.ip)’]

Indicators of Compromise

  • [IP Address ] used as the join key across network and endpoint alerts – examples: host.ip (Elastic Defend), source.ip (PANW/FortiGate/Suricata)
  • [File Hash (SHA-256) ] referenced for grouping unique malicious files and rarity checks – examples: file.hash.sha256, process.hash.sha256 (no concrete hash values provided)
  • [Process / Executable Name ] used to link alerts to running software and identify exploited services – examples: nginx, sshd (SSH daemon referenced in XZ Utils investigation)
  • [Alert / Rule Names & Messages ] atomic signals feeding HORs and used for first-seen logic or exclusions – examples: Multi.EICAR.Not-a-virus, “Command and Control Traffic”, “Potentially Bad Traffic”, “c2_communication”
  • [Process Command Line / Parent Executable ] contextual IOCs for triage and correlation – examples: process.command_line, process.parent.executable
  • [Host and User Identifiers ] entity fields for aggregation and risk scoring – examples: host.id, user.name

Read more: https://www.elastic.co/security-labs/higher-order-detection-rules