How to investigate "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints"

[FideliusFalcon]

Since August 19, we’ve noticed a significant increase in alerts triggered by the "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" rule (a10e7b14-4b7b-4a34-b3f6-64791c1114b3). However, there’s a lack of clear guidance on how to trace the source of the hardware breakpoint or determine whether it’s legitimate or malicious.

The rule doesn’t provide sufficient information on how to:

• Identify which process or code set the hardware breakpoint.
• Determine if this behavior is normal or indicative of process injection or other evasion techniques.

Could you provide an investigation guide or recommended steps for analyzing these alerts effectively? More context or next steps within the rule itself would also be helpful.

I hope it's okay, I create a direct Github issue, otherwise just tell me, and I will open an Elastic support ticket

Thank you.