Robuta

https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/discovery_ml_linux_system_information_discovery Unusual Linux System Information Discovery Activity | Prebuilt detection rules reference Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to... system information discoverydetection rulesunusuallinuxactivity https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_startup_folder_file_written_by_unsigned_process Startup Folder Persistence via Unsigned Process | Prebuilt detection rules reference Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an... startup folderdetection rulespersistenceviaunsigned https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_credential_dumping_msbuild Potential Credential Access via Trusted Developer Utility | Prebuilt detection rules reference An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique... credential accessdetection rulespotentialviatrusted https://www.elastic.co/docs/solutions/security/detect-and-alert/manage-detection-rules Manage detection rules | Elastic Docs View, edit, enable, duplicate, and manage detection rules from the Rules page, including deprecated prebuilt rules. detection rulesmanageelasticdocs https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_service_dll_unsigned Unsigned DLL Loaded by Svchost | Prebuilt detection rules reference Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this... detection rulesunsigneddllloadedsvchost https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_uid_change_post_compilation Potential Privilege Escalation via Recently Compiled Executable | Prebuilt detection rules reference This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root... privilege escalationdetection rulespotentialviarecently https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/credential_access_high_volume_of_pbpaste Suspicious pbpaste High Volume Activity | Prebuilt detection rules reference Identifies a high volume of pbpaste executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker... high volumedetection rulessuspiciousactivityprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application Attempt to Deactivate an Okta Application | Prebuilt detection rules reference Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an... detection rulesattemptdeactivateoktaapplication https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_periodic_tasks_file_mdofiy Potential Persistence via Periodic Tasks | Prebuilt detection rules reference Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code... detection rulespotentialpersistenceviaperiodic https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_msi_repair_via_mshelp_link Potential Escalation via Vulnerable MSI Repair | Prebuilt detection rules reference Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation... detection rulespotentialescalationviavulnerable https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_wsl_bash_exec Suspicious Execution via Windows Subsystem for Linux | Prebuilt detection rules reference Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. Rule type: eql... windows subsystem for linuxdetection rulessuspiciousexecutionvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa Attempted Bypass of Okta MFA | Prebuilt detection rules reference Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization... detection rulesattemptedbypassoktamfa https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_external Potential External Linux SSH Brute Force Detected | Prebuilt detection rules reference Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries... brute forcedetection rulespotentialexternallinux https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_iam_group_deletion AWS IAM Group Deletion | Prebuilt detection rules reference Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious attempt to remove audit trails,... aws iamdetection rulesgroupdeletionprebuilt https://www.elastic.co/docs/api/doc/serverless/operation/operation-importrules Import detection rules | Kibana Serverless API documentation detection rulesimportkibanaserverlessapi https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/github/persistence_github_org_owner_added New GitHub Owner Added | Prebuilt detection rules reference Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be... detection rulesnewgithubowneradded https://www.c-sharpcorner.com/UploadFile/61cf58/retrieve-duplicate-detection-rules-using-crm-sdk/ Retrieve Duplicate Detection Rules Using CRM SDK In this article you will learn how to retrieve duplicate detection rules using CRM SDK. duplicate detectionretrieverulesusingcrm https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/discovery_enumerating_domain_trusts_via_dsquery Enumerating Domain Trusts via DSQUERY.EXE | Prebuilt detection rules reference Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships... detection rulesdomaintrustsviadsquery https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_samaccountname_spoofing_attack Potential Privileged Escalation via SamAccountName Spoofing | Prebuilt detection rules reference Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard... detection rulespotentialprivilegedescalationvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user Suspicious Activity Reported by Okta User | Prebuilt detection rules reference Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify... suspicious activityreported bydetection rulesoktauser https://www.elastic.co/docs/explore-analyze/workflows/use-cases/security/manage-detection-rules/run-rules-on-demand Run detection rules on demand | Elastic Docs Build a workflow that manually re-runs a set of detection rules over a configurable time range, useful for gap-filling, post-incident review, or scheduled... detection rulesrundemandelasticdocs https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_dcsync_replication_rights Potential Credential Access via DCSync | Prebuilt detection rules reference This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential... credential accessdetection rulespotentialviadcsync https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration High Variance in RDP Session Duration | Prebuilt detection rules reference A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session... high variancedetection rulesrdpsessionduration https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation GCP Pub/Sub Topic Creation | Prebuilt detection rules reference Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging... pub subdetection rulesgcptopiccreation https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_hosts_file_access System Hosts File Access | Prebuilt detection rules reference Identifies the use of built-in tools to read the contents of "/etc/hosts" on a local machine. Attackers may use this data to discover remote machines... hosts filedetection rulessystemaccessprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/defense_evasion_chattr_immutable_file File made Immutable by Chattr | Prebuilt detection rules reference Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to... detection rulesfilemadeimmutablechattr https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/persistence_rds_instance_made_public AWS RDS DB Instance Made Public | Prebuilt detection rules reference Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly... aws rdsmade publicdetection rulesdbinstance https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/lateral_movement_incoming_winrm_shell_execution Incoming Execution via WinRM Remote Shell | Prebuilt detection rules reference Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. Rule... remote shelldetection rulesincomingexecutionvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/collection_posh_audio_capture PowerShell Suspicious Script with Audio Capture Capabilities | Prebuilt detection rules reference Detects PowerShell script block content that invokes microphone capture routines or WinMM audio APIs. Adversaries may use audio recording to surveil users... with audiodetection rulespowershellsuspiciousscript https://www.datadoghq.com/ja/blog/sigma-rules-datadog-cloud-siem/ Integrate Sigma detection rules with Datadog Cloud SIEM | Datadog Learn how Sigma's out-of-the-box rules can help your security teams quickly and easily detect threats in your environment. detection rulesintegratesigmadatadogcloud https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/credential_access_ml_auth_spike_in_logon_events Spike in Logon Events | Prebuilt detection rules reference A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute... detection rulesspikelogoneventsprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_win_network_connections Windows System Network Connections Discovery | Prebuilt detection rules reference This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network... windows systemnetwork connectionsdetection rulesdiscoveryprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack UAC Bypass via DiskCleanup Scheduled Task Hijack | Prebuilt detection rules reference Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated... uac bypassscheduled taskdetection rulesvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_net_share_discovery_winlog Potential Network Share Discovery | Prebuilt detection rules reference Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify... network share discoverydetection rulespotentialprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/promotions/endgame_malware_prevented Malware - Prevented - Elastic Endgame | Prebuilt detection rules reference Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional... detection rulesmalwarepreventedelasticendgame https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/initial_access_execution_via_office_addins Suspicious Execution via Microsoft Office Add-Ins | Prebuilt detection rules reference Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This... microsoft officeadd insdetection rulessuspiciousexecution https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_suspicious_file_opened_through_editor Potential Suspicious File Edit | Prebuilt detection rules reference This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By... detection rulespotentialsuspiciousfileedit https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_sc_sdset Service DACL Modification via sc.exe | Prebuilt detection rules reference Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users. Rule type: eql Rule indices:... sc exedetection rulesservicedaclmodification https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_screensaver_plist_file_modification Screensaver Plist File Modified by Unexpected Process | Prebuilt detection rules reference Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a... detection rulesscreensaverplistfilemodified https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/persistence_ml_windows_anomalous_process_all_hosts Anomalous Process For a Windows Population | Prebuilt detection rules reference Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated... for adetection rulesanomalousprocesswindows https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion AWS VPC Flow Logs Deletion | Prebuilt detection rules reference Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses... aws vpcdetection rulesflowlogsdeletion https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/audit_handle_manipulation Audit Handle Manipulation | Prebuilt detection rules reference Some detection rules require monitoring handle manipulation to detect unauthorized access attempts or suspicious interactions with system objects. Enabling... detection rulesaudithandlemanipulationprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/google_workspace/persistence_google_workspace_role_modified Google Workspace Role Modified | Prebuilt detection rules reference Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other... google workspacedetection rulesrolemodifiedprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts Agent Spoofing - Multiple Hosts Using Same Agent | Prebuilt detection rules reference Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents... detection rulesagentspoofingmultiplehosts https://www.techtarget.com/searchsecurity/feature/Elastic-Stack-Security-tutorial-How-to-create-detection-rules Elastic Stack Security tutorial: How to create detection rules | TechTarget Follow this Elastic Stack tutorial to learn how to create rules in the Security app detection engine that track suspicious network activity. how to createelastic stackdetection rulessecuritytutorial https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_via_mmc_console_file_unusual_path Microsoft Management Console File from Unusual Path | Prebuilt detection rules reference Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution. microsoft management consoledetection rulesfile https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration High Mean of RDP Session Duration | Prebuilt detection rules reference A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session... detection ruleshighmeanrdpsession https://www.elastic.co/blog/security-prebuilt-rules-editing Elastic Security simplifies customization of prebuilt SIEM detection rules | Elastic Blog Learn about the prebuilt rule editing capabilities that allow you to get even more value from out-of-the-box SIEM detection rules.... elastic securitydetection rulescustomizationprebuiltsiem https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_suspicious_lsass_access_memdump Potential Credential Access via LSASS Memory Dump | Prebuilt detection rules reference Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method... credential accesslsass memorydetection rulespotentialvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_posh_obfuscation_string_format Potential PowerShell Obfuscation via String Reordering | Prebuilt detection rules reference detection rulespotentialpowershellobfuscationvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_local_scheduled_job_creation Persistence via Scheduled Job Creation | Prebuilt detection rules reference A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to... job creationdetection rulespersistenceviascheduled https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/credential_access_ssh_backdoor_log Potential OpenSSH Backdoor Logging Activity | Prebuilt detection rules reference Identifies a Secure Shell (SSH) client or server process creating a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence... detection rulespotentialopensshbackdoorlogging https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_remote_password_reset Account Password Reset Remotely | Prebuilt detection rules reference Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or... account password resetdetection rulesremotelyprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_command_prompt_connecting_to_the_internet Suspicious Command Prompt Network Connection | Prebuilt detection rules reference Identifies a network connection by the command prompt (cmd.exe) when it is executed with specific arguments, such as a script or a URL, or when it is... command promptnetwork connectiondetection rulessuspiciousprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_indirect_exec_forfiles Command Execution via ForFiles | Prebuilt detection rules reference Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via a trusted parent process... detection rulescommandexecutionviaforfiles https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor Potential Execution via SSH Backdoor | Prebuilt detection rules reference It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful... ssh backdoordetection rulespotentialexecutionvia https://www.elastic.co/docs/api/doc/kibana/v9/operation/operation-importrules Import detection rules | Kibana API documentation (v9) detection rulesapi documentationimportkibanav9 https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet Network Connection via Signed Binary | Prebuilt detection rules reference Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these... network connectiondetection rulesviasignedbinary https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_system_shells_via_services System Shells via Services | Prebuilt detection rules reference Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service... detection rulessystemshellsviaservices https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_suspicious_process_access_direct_syscall Suspicious Process Access via Direct System Call | Prebuilt detection rules reference Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to... direct systemdetection rulessuspiciousprocessaccess https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_bruteforce_admin_account Privileged Accounts Brute Force | Prebuilt detection rules reference Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval.... brute forcedetection rulesprivilegedaccountsprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/credential_access_ml_linux_anomalous_metadata_user Unusual Linux User Calling the Metadata Service | Prebuilt detection rules reference Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials... detection rulesunusuallinuxusercalling https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/sysmon_eventid23_file_delete Sysmon Event ID 23: File Delete | Prebuilt detection rules reference Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need... event iddetection rulessysmon23file https://www.elastic.co/docs/api/doc/kibana/operation/operation-performrulesbulkaction Apply a bulk action to detection rules | Kibana API documentation detection rulesapplybulkactionkibana https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/threat_intel/threat_intel_indicator_match_url Threat Intel URL Indicator Match | Prebuilt detection rules reference This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data,... threat inteldetection rulesurlindicatormatch https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/command_and_control_ml_packetbeat_rare_dns_question Unusual DNS Activity | Prebuilt detection rules reference A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access,... detection rulesunusualdnsactivityprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_scheduled_task_creation_winlog A scheduled task was created | Prebuilt detection rules reference Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate... scheduled taskdetection rulescreatedprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/lateral_movement_executable_tool_transfer_smb Potential Lateral Tool Transfer via SMB Share | Prebuilt detection rules reference Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a... lateral tool transferdetection rulespotentialvia https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted GCP Virtual Private Cloud Network Deletion | Prebuilt detection rules reference Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network... virtual private clouddetection rulesgcpnetworkdeletion https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_masquerading_renamed_autoit Renamed Automation Script Interpreter | Prebuilt detection rules reference Identifies renamed Automation Script Interpreter process. Malware written as an AutoIt/AutoHotKey script tends to rename the main executable to avoid... detection rulesrenamedautomationscriptinterpreter https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_untrusted_driver_loaded Untrusted Driver Loaded | Prebuilt detection rules reference Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Rule... detection rulesdriverloadedprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline NTDS or SAM Database File Copied | Prebuilt detection rules reference Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive... database filedetection rulesntdssamcopied https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted AWS EventBridge Rule Disabled or Deleted | Prebuilt detection rules reference Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate operational workflows and... detection rulesawseventbridgedisableddeleted https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/impact_high_freq_file_renames_by_kernel Potential Ransomware Behavior - Note Files by System | Prebuilt detection rules reference This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the successful remote execution... by systemdetection rulespotentialransomwarebehavior https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/discovery_suspicious_network_tool_launched_inside_container Suspicious Network Tool Launched Inside A Container | Prebuilt detection rules reference This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy,... network tooldetection rulessuspiciouslaunchedinside https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion AWS CloudWatch Log Group Deletion | Prebuilt detection rules reference Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store operational and security logs for AWS... aws cloudwatchdetection rulesloggroupdeletion https://www.elastic.co/guide/en/security/8.19/about-rules.html About detection rules | Elastic Security [8.19] | Elastic detection ruleselastic security819 https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded AWS S3 Static Site JavaScript File Uploaded | Prebuilt detection rules reference This rule detects when a JavaScript file is uploaded in an S3 static site directory (static/js/) by an IAM user or assumed role. This can indicate suspicious... aws s3static sitedetection rulesjavascript https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_at_job_creation At Job Created or Modified | Prebuilt detection rules reference This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled... detection rulesjobcreatedmodifiedprebuilt https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/execution_process_started_in_shared_memory_directory Binary Executed from Shared Memory Directory | Prebuilt detection rules reference Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be... shared memorydetection rulesbinaryexecuteddirectory https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_boot_file_copy Boot File Copy | Prebuilt detection rules reference This rule detects the process of copying or moving files from or to the "/boot" directory on Linux systems. The "/boot" directory contains files that... file copydetection rulesbootprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_ld_preload_shared_object_modif Modification of Dynamic Linker Preload Shared Object | Prebuilt detection rules reference Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic... dynamic linkershared objectdetection rulesmodificationpreload https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_downloaded_url_file Downloaded URL Files | Prebuilt detection rules reference Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. Rule type: eql... detection rulesdownloadedurlfilesprebuilt https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-bulkpatchrules Patch multiple detection rules | Kibana API documentation (v8) detection rulesapi documentationpatchmultiplekibana https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/discovery_security_file_access_via_common_utility Security File Access via Common Utilities | Prebuilt detection rules reference This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common... file accessdetection rulessecurityviacommon https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_ntlm_downgrade Potential NetNTLMv1 Downgrade Attack | Prebuilt detection rules reference Identifies registry modification to force the system to fall back to NTLMv1 for authentication. This modification is possible with local administrator... downgrade attackdetection rulespotentialprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/initial_access_scripts_process_started_via_wmi Windows Script Interpreter Executing Process via WMI | Prebuilt detection rules reference Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management... windows scriptdetection rulesinterpreterexecutingprocess https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation Creation of Hidden Launch Agent or Daemon | Prebuilt detection rules reference Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes... launch agentdetection rulescreationhidden https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/audit_policy_change Audit Policy Change | Prebuilt detection rules reference Some detection rules require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures... audit policydetection ruleschangeprebuiltreference https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/command_and_control_iexplore_via_com Potential Command and Control via Internet Explorer | Prebuilt detection rules reference Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries... command and controlvia internetdetection rulespotential https://www.elastic.co/docs/explore-analyze/workflows/use-cases/security/manage-detection-rules Manage detection rules at scale | Elastic Docs Use workflows to audit rule health, surface rule errors, and automate rule operations across large detection rule sets in Elastic Security. detection rulesat scalemanageelasticdocs https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/impact_azure_recovery_services_deletion Azure Recovery Services Resource Deleted | Prebuilt detection rules reference Identifies the deletion of Azure Recovery Services resources. Azure Recovery Services vaults contain data for copies of VMs, workloads, servers, and other... recovery servicesdetection rulesazureresourcedeleted https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/persistence_ml_linux_anomalous_process_all_hosts Anomalous Process For a Linux Population | Prebuilt detection rules reference Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated... for adetection rulesanomalousprocesslinux https://www.datadoghq.com/ja/blog/writing-datadog-security-detection-rules/ Best practices for creating custom detection rules with Datadog Cloud SIEM | Datadog Learn how to create detection rules that enable you to efficiently identify and respond to security threats in your environment. best practicesdetection rulescreatingcustom https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_suspicious_uid_guid_elevation Privilege Escalation via CAP_SETUID/SETGID Capabilities | Prebuilt detection rules reference Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID... privilege escalationvia capdetection rulessetuid https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/network/command_and_control_cobalt_strike_default_teamserver_cert Default Cobalt Strike Team Server Certificate | Prebuilt detection rules reference This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team... cobalt striketeam serverdetection rulesdefaultcertificate https://github.com/P4T12ICK/Sigma2SplunkAlert GitHub - P4T12ICK/Sigma2SplunkAlert: Converts Sigma detection rules to a Splunk alert... Converts Sigma detection rules to a Splunk alert configuration. - P4T12ICK/Sigma2SplunkAlert detection rulesgithubconvertssigma https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/promotions/execution_endgame_exploit_prevented Exploit - Prevented - Elastic Endgame | Prebuilt detection rules reference Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional... detection rulesexploitpreventedelasticendgame https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created Google Workspace Custom Admin Role Created | Prebuilt detection rules reference Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other... google workspaceadmin roledetection rulescustomcreated https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation Privilege Escalation via GDB CAP_SYS_PTRACE | Prebuilt detection rules reference Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In... privilege escalationdetection rulesviagdbcap