misconfiguration, system reboot, network issues or expected uninstall of the elastic defend agent.

t1204
t1562
cross-platform
elastic

Techniques

T1204
T1562

Sample rules

Elastic Defend Alert Followed by Telemetry Loss

source: elastic
technicques:
- T1204
- T1562

Description

Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.

Detection logic

sequence by host.id with maxspan=5m
 [any where event.dataset == "endpoint.alerts"]
 ![any where event.category in ("process", "library", "registry", "network", "dns")]