Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
This rule alerts about Elastic agent updating itself via Elastic Fleet.
Potentially useful fields:
process.command_line /bin/systemctl stop ElasticEndpoint
process.entry_leader.executable /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/elastic-agent
process.group_leader.working_directory /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components
process.parent.command_line /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components/previous/elastic-endpoint uninstall --keepstate --log stdout
process.parent.working_directory /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components
Example Data
No response
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
This rule alerts about Elastic agent updating itself via Elastic Fleet.
Potentially useful fields:
process.command_line /bin/systemctl stop ElasticEndpoint
process.entry_leader.executable /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/elastic-agent
process.group_leader.working_directory /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components
process.parent.command_line /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components/previous/elastic-endpoint uninstall --keepstate --log stdout
process.parent.working_directory /opt/Elastic/Agent/data/elastic-agent-9.3.1-2ec825/components
Example Data
No response