This detection rule identifies scenarios where an alert from Elastic Defend on an endpoint is recorded but is not accompanied by any subsequent telemetry signals indicative of normal endpoint operations within a defined timeframe. Such telemetry loss can suggest various issues, including endpoint security evasion, potential tampering of the agent, sensor deactivation, service interruptions, or unexpected system failures. The rule is designed to flag these occurrences so that security teams can investigate potential malicious activities that hinder telemetry reporting. The detection logic utilizes sequence queries in Elastic Query Language (EQL) to monitor alerts against the absence of key process, network, registry, or DNS events within a five-minute window following the alert. The investigation process emphasizes examining the status and health of the Elastic agent, analyzing hosts for signs of tampering, and correlating with previous activities to assess any ongoing exploitation attempts. Therefore, it’s crucial for incident response to validate the agent’s functionality and investigate any detected irregularities for further security implications.