https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/discovery_ml_linux_system_information_discovery
Unusual Linux System Information Discovery Activity | Prebuilt detection rules reference
Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to...
system information discoverydetection rulesunusuallinuxactivity
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_startup_folder_file_written_by_unsigned_process
Startup Folder Persistence via Unsigned Process | Prebuilt detection rules reference
Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an...
startup folderdetection rulespersistenceviaunsigned
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_credential_dumping_msbuild
Potential Credential Access via Trusted Developer Utility | Prebuilt detection rules reference
An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique...
credential accessdetection rulespotentialviatrusted
https://www.elastic.co/docs/solutions/security/detect-and-alert/manage-detection-rules
Manage detection rules | Elastic Docs
View, edit, enable, duplicate, and manage detection rules from the Rules page, including deprecated prebuilt rules.
detection rulesmanageelasticdocs
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_service_dll_unsigned
Unsigned DLL Loaded by Svchost | Prebuilt detection rules reference
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this...
detection rulesunsigneddllloadedsvchost
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_uid_change_post_compilation
Potential Privilege Escalation via Recently Compiled Executable | Prebuilt detection rules reference
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root...
privilege escalationdetection rulespotentialviarecently
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/credential_access_high_volume_of_pbpaste
Suspicious pbpaste High Volume Activity | Prebuilt detection rules reference
Identifies a high volume of pbpaste executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker...
high volumedetection rulessuspiciousactivityprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application
Attempt to Deactivate an Okta Application | Prebuilt detection rules reference
Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an...
detection rulesattemptdeactivateoktaapplication
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_periodic_tasks_file_mdofiy
Potential Persistence via Periodic Tasks | Prebuilt detection rules reference
Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code...
detection rulespotentialpersistenceviaperiodic
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_msi_repair_via_mshelp_link
Potential Escalation via Vulnerable MSI Repair | Prebuilt detection rules reference
Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation...
detection rulespotentialescalationviavulnerable
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_wsl_bash_exec
Suspicious Execution via Windows Subsystem for Linux | Prebuilt detection rules reference
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. Rule type: eql...
windows subsystem for linuxdetection rulessuspiciousexecutionvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa
Attempted Bypass of Okta MFA | Prebuilt detection rules reference
Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization...
detection rulesattemptedbypassoktamfa
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_external
Potential External Linux SSH Brute Force Detected | Prebuilt detection rules reference
Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries...
brute forcedetection rulespotentialexternallinux
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_iam_group_deletion
AWS IAM Group Deletion | Prebuilt detection rules reference
Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious attempt to remove audit trails,...
aws iamdetection rulesgroupdeletionprebuilt
https://www.elastic.co/docs/api/doc/serverless/operation/operation-importrules
Import detection rules | Kibana Serverless API documentation
detection rulesimportkibanaserverlessapi
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/github/persistence_github_org_owner_added
New GitHub Owner Added | Prebuilt detection rules reference
Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be...
detection rulesnewgithubowneradded
https://www.c-sharpcorner.com/UploadFile/61cf58/retrieve-duplicate-detection-rules-using-crm-sdk/
Retrieve Duplicate Detection Rules Using CRM SDK
In this article you will learn how to retrieve duplicate detection rules using CRM SDK.
duplicate detectionretrieverulesusingcrm
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/discovery_enumerating_domain_trusts_via_dsquery
Enumerating Domain Trusts via DSQUERY.EXE | Prebuilt detection rules reference
Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships...
detection rulesdomaintrustsviadsquery
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_samaccountname_spoofing_attack
Potential Privileged Escalation via SamAccountName Spoofing | Prebuilt detection rules reference
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard...
detection rulespotentialprivilegedescalationvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user
Suspicious Activity Reported by Okta User | Prebuilt detection rules reference
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify...
suspicious activityreported bydetection rulesoktauser
https://www.elastic.co/docs/explore-analyze/workflows/use-cases/security/manage-detection-rules/run-rules-on-demand
Run detection rules on demand | Elastic Docs
Build a workflow that manually re-runs a set of detection rules over a configurable time range, useful for gap-filling, post-incident review, or scheduled...
detection rulesrundemandelasticdocs
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_dcsync_replication_rights
Potential Credential Access via DCSync | Prebuilt detection rules reference
This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential...
credential accessdetection rulespotentialviadcsync
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration
High Variance in RDP Session Duration | Prebuilt detection rules reference
A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session...
high variancedetection rulesrdpsessionduration
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation
GCP Pub/Sub Topic Creation | Prebuilt detection rules reference
Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging...
pub subdetection rulesgcptopiccreation
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_hosts_file_access
System Hosts File Access | Prebuilt detection rules reference
Identifies the use of built-in tools to read the contents of "/etc/hosts" on a local machine. Attackers may use this data to discover remote machines...
hosts filedetection rulessystemaccessprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/defense_evasion_chattr_immutable_file
File made Immutable by Chattr | Prebuilt detection rules reference
Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to...
detection rulesfilemadeimmutablechattr
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/persistence_rds_instance_made_public
AWS RDS DB Instance Made Public | Prebuilt detection rules reference
Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly...
aws rdsmade publicdetection rulesdbinstance
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/lateral_movement_incoming_winrm_shell_execution
Incoming Execution via WinRM Remote Shell | Prebuilt detection rules reference
Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. Rule...
remote shelldetection rulesincomingexecutionvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/collection_posh_audio_capture
PowerShell Suspicious Script with Audio Capture Capabilities | Prebuilt detection rules reference
Detects PowerShell script block content that invokes microphone capture routines or WinMM audio APIs. Adversaries may use audio recording to surveil users...
with audiodetection rulespowershellsuspiciousscript
https://www.datadoghq.com/ja/blog/sigma-rules-datadog-cloud-siem/
Integrate Sigma detection rules with Datadog Cloud SIEM | Datadog
Learn how Sigma's out-of-the-box rules can help your security teams quickly and easily detect threats in your environment.
detection rulesintegratesigmadatadogcloud
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/credential_access_ml_auth_spike_in_logon_events
Spike in Logon Events | Prebuilt detection rules reference
A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute...
detection rulesspikelogoneventsprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_win_network_connections
Windows System Network Connections Discovery | Prebuilt detection rules reference
This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network...
windows systemnetwork connectionsdetection rulesdiscoveryprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack
UAC Bypass via DiskCleanup Scheduled Task Hijack | Prebuilt detection rules reference
Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated...
uac bypassscheduled taskdetection rulesvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/discovery_net_share_discovery_winlog
Potential Network Share Discovery | Prebuilt detection rules reference
Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify...
network share discoverydetection rulespotentialprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/promotions/endgame_malware_prevented
Malware - Prevented - Elastic Endgame | Prebuilt detection rules reference
Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional...
detection rulesmalwarepreventedelasticendgame
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/initial_access_execution_via_office_addins
Suspicious Execution via Microsoft Office Add-Ins | Prebuilt detection rules reference
Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This...
microsoft officeadd insdetection rulessuspiciousexecution
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_suspicious_file_opened_through_editor
Potential Suspicious File Edit | Prebuilt detection rules reference
This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By...
detection rulespotentialsuspiciousfileedit
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_sc_sdset
Service DACL Modification via sc.exe | Prebuilt detection rules reference
Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users. Rule type: eql Rule indices:...
sc exedetection rulesservicedaclmodification
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_screensaver_plist_file_modification
Screensaver Plist File Modified by Unexpected Process | Prebuilt detection rules reference
Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a...
detection rulesscreensaverplistfilemodified
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/persistence_ml_windows_anomalous_process_all_hosts
Anomalous Process For a Windows Population | Prebuilt detection rules reference
Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated...
for adetection rulesanomalousprocesswindows
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
AWS VPC Flow Logs Deletion | Prebuilt detection rules reference
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses...
aws vpcdetection rulesflowlogsdeletion
https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/audit_handle_manipulation
Audit Handle Manipulation | Prebuilt detection rules reference
Some detection rules require monitoring handle manipulation to detect unauthorized access attempts or suspicious interactions with system objects. Enabling...
detection rulesaudithandlemanipulationprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/google_workspace/persistence_google_workspace_role_modified
Google Workspace Role Modified | Prebuilt detection rules reference
Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other...
google workspacedetection rulesrolemodifiedprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts
Agent Spoofing - Multiple Hosts Using Same Agent | Prebuilt detection rules reference
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents...
detection rulesagentspoofingmultiplehosts
https://www.techtarget.com/searchsecurity/feature/Elastic-Stack-Security-tutorial-How-to-create-detection-rules
Elastic Stack Security tutorial: How to create detection rules | TechTarget
Follow this Elastic Stack tutorial to learn how to create rules in the Security app detection engine that track suspicious network activity.
how to createelastic stackdetection rulessecuritytutorial
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_via_mmc_console_file_unusual_path
Microsoft Management Console File from Unusual Path | Prebuilt detection rules reference
Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.
microsoft management consoledetection rulesfile
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration
High Mean of RDP Session Duration | Prebuilt detection rules reference
A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session...
detection ruleshighmeanrdpsession
https://www.elastic.co/blog/security-prebuilt-rules-editing
Elastic Security simplifies customization of prebuilt SIEM detection rules | Elastic Blog
Learn about the prebuilt rule editing capabilities that allow you to get even more value from out-of-the-box SIEM detection rules....
elastic securitydetection rulescustomizationprebuiltsiem
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_suspicious_lsass_access_memdump
Potential Credential Access via LSASS Memory Dump | Prebuilt detection rules reference
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method...
credential accesslsass memorydetection rulespotentialvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_posh_obfuscation_string_format
Potential PowerShell Obfuscation via String Reordering | Prebuilt detection rules reference
detection rulespotentialpowershellobfuscationvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_local_scheduled_job_creation
Persistence via Scheduled Job Creation | Prebuilt detection rules reference
A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to...
job creationdetection rulespersistenceviascheduled
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/credential_access_ssh_backdoor_log
Potential OpenSSH Backdoor Logging Activity | Prebuilt detection rules reference
Identifies a Secure Shell (SSH) client or server process creating a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence...
detection rulespotentialopensshbackdoorlogging
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_remote_password_reset
Account Password Reset Remotely | Prebuilt detection rules reference
Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or...
account password resetdetection rulesremotelyprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_command_prompt_connecting_to_the_internet
Suspicious Command Prompt Network Connection | Prebuilt detection rules reference
Identifies a network connection by the command prompt (cmd.exe) when it is executed with specific arguments, such as a script or a URL, or when it is...
command promptnetwork connectiondetection rulessuspiciousprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_indirect_exec_forfiles
Command Execution via ForFiles | Prebuilt detection rules reference
Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via a trusted parent process...
detection rulescommandexecutionviaforfiles
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor
Potential Execution via SSH Backdoor | Prebuilt detection rules reference
It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful...
ssh backdoordetection rulespotentialexecutionvia
https://www.elastic.co/docs/api/doc/kibana/v9/operation/operation-importrules
Import detection rules | Kibana API documentation (v9)
detection rulesapi documentationimportkibanav9
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet
Network Connection via Signed Binary | Prebuilt detection rules reference
Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these...
network connectiondetection rulesviasignedbinary
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_system_shells_via_services
System Shells via Services | Prebuilt detection rules reference
Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service...
detection rulessystemshellsviaservices
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_suspicious_process_access_direct_syscall
Suspicious Process Access via Direct System Call | Prebuilt detection rules reference
Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to...
direct systemdetection rulessuspiciousprocessaccess
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_bruteforce_admin_account
Privileged Accounts Brute Force | Prebuilt detection rules reference
Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval....
brute forcedetection rulesprivilegedaccountsprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/credential_access_ml_linux_anomalous_metadata_user
Unusual Linux User Calling the Metadata Service | Prebuilt detection rules reference
Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials...
detection rulesunusuallinuxusercalling
https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/sysmon_eventid23_file_delete
Sysmon Event ID 23: File Delete | Prebuilt detection rules reference
Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need...
event iddetection rulessysmon23file
https://www.elastic.co/docs/api/doc/kibana/operation/operation-performrulesbulkaction
Apply a bulk action to detection rules | Kibana API documentation
detection rulesapplybulkactionkibana
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/threat_intel/threat_intel_indicator_match_url
Threat Intel URL Indicator Match | Prebuilt detection rules reference
This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data,...
threat inteldetection rulesurlindicatormatch
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/command_and_control_ml_packetbeat_rare_dns_question
Unusual DNS Activity | Prebuilt detection rules reference
A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access,...
detection rulesunusualdnsactivityprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_scheduled_task_creation_winlog
A scheduled task was created | Prebuilt detection rules reference
Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate...
scheduled taskdetection rulescreatedprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/lateral_movement_executable_tool_transfer_smb
Potential Lateral Tool Transfer via SMB Share | Prebuilt detection rules reference
Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a...
lateral tool transferdetection rulespotentialvia
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted
GCP Virtual Private Cloud Network Deletion | Prebuilt detection rules reference
Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network...
virtual private clouddetection rulesgcpnetworkdeletion
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_masquerading_renamed_autoit
Renamed Automation Script Interpreter | Prebuilt detection rules reference
Identifies renamed Automation Script Interpreter process. Malware written as an AutoIt/AutoHotKey script tends to rename the main executable to avoid...
detection rulesrenamedautomationscriptinterpreter
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_untrusted_driver_loaded
Untrusted Driver Loaded | Prebuilt detection rules reference
Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Rule...
detection rulesdriverloadedprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline
NTDS or SAM Database File Copied | Prebuilt detection rules reference
Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive...
database filedetection rulesntdssamcopied
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted
AWS EventBridge Rule Disabled or Deleted | Prebuilt detection rules reference
Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate operational workflows and...
detection rulesawseventbridgedisableddeleted
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/impact_high_freq_file_renames_by_kernel
Potential Ransomware Behavior - Note Files by System | Prebuilt detection rules reference
This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the successful remote execution...
by systemdetection rulespotentialransomwarebehavior
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/discovery_suspicious_network_tool_launched_inside_container
Suspicious Network Tool Launched Inside A Container | Prebuilt detection rules reference
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy,...
network tooldetection rulessuspiciouslaunchedinside
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion
AWS CloudWatch Log Group Deletion | Prebuilt detection rules reference
Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store operational and security logs for AWS...
aws cloudwatchdetection rulesloggroupdeletion
https://www.elastic.co/guide/en/security/8.19/about-rules.html
About detection rules | Elastic Security [8.19] | Elastic
detection ruleselastic security819
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded
AWS S3 Static Site JavaScript File Uploaded | Prebuilt detection rules reference
This rule detects when a JavaScript file is uploaded in an S3 static site directory (static/js/) by an IAM user or assumed role. This can indicate suspicious...
aws s3static sitedetection rulesjavascript
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_at_job_creation
At Job Created or Modified | Prebuilt detection rules reference
This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled...
detection rulesjobcreatedmodifiedprebuilt
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/execution_process_started_in_shared_memory_directory
Binary Executed from Shared Memory Directory | Prebuilt detection rules reference
Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be...
shared memorydetection rulesbinaryexecuteddirectory
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/persistence_boot_file_copy
Boot File Copy | Prebuilt detection rules reference
This rule detects the process of copying or moving files from or to the "/boot" directory on Linux systems. The "/boot" directory contains files that...
file copydetection rulesbootprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_ld_preload_shared_object_modif
Modification of Dynamic Linker Preload Shared Object | Prebuilt detection rules reference
Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic...
dynamic linkershared objectdetection rulesmodificationpreload
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/execution_downloaded_url_file
Downloaded URL Files | Prebuilt detection rules reference
Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. Rule type: eql...
detection rulesdownloadedurlfilesprebuilt
https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-bulkpatchrules
Patch multiple detection rules | Kibana API documentation (v8)
detection rulesapi documentationpatchmultiplekibana
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/discovery_security_file_access_via_common_utility
Security File Access via Common Utilities | Prebuilt detection rules reference
This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common...
file accessdetection rulessecurityviacommon
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_ntlm_downgrade
Potential NetNTLMv1 Downgrade Attack | Prebuilt detection rules reference
Identifies registry modification to force the system to fall back to NTLMv1 for authentication. This modification is possible with local administrator...
downgrade attackdetection rulespotentialprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/initial_access_scripts_process_started_via_wmi
Windows Script Interpreter Executing Process via WMI | Prebuilt detection rules reference
Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management...
windows scriptdetection rulesinterpreterexecutingprocess
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation
Creation of Hidden Launch Agent or Daemon | Prebuilt detection rules reference
Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes...
launch agentdetection rulescreationhidden
https://www.elastic.co/docs/reference/security/prebuilt-rules/audit_policies/windows/audit_policy_change
Audit Policy Change | Prebuilt detection rules reference
Some detection rules require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures...
audit policydetection ruleschangeprebuiltreference
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/command_and_control_iexplore_via_com
Potential Command and Control via Internet Explorer | Prebuilt detection rules reference
Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries...
command and controlvia internetdetection rulespotential
https://www.elastic.co/docs/explore-analyze/workflows/use-cases/security/manage-detection-rules
Manage detection rules at scale | Elastic Docs
Use workflows to audit rule health, surface rule errors, and automate rule operations across large detection rule sets in Elastic Security.
detection rulesat scalemanageelasticdocs
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules_building_block/impact_azure_recovery_services_deletion
Azure Recovery Services Resource Deleted | Prebuilt detection rules reference
Identifies the deletion of Azure Recovery Services resources. Azure Recovery Services vaults contain data for copies of VMs, workloads, servers, and other...
recovery servicesdetection rulesazureresourcedeleted
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/persistence_ml_linux_anomalous_process_all_hosts
Anomalous Process For a Linux Population | Prebuilt detection rules reference
Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated...
for adetection rulesanomalousprocesslinux
https://www.datadoghq.com/ja/blog/writing-datadog-security-detection-rules/
Best practices for creating custom detection rules with Datadog Cloud SIEM | Datadog
Learn how to create detection rules that enable you to efficiently identify and respond to security threats in your environment.
best practicesdetection rulescreatingcustom
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_suspicious_uid_guid_elevation
Privilege Escalation via CAP_SETUID/SETGID Capabilities | Prebuilt detection rules reference
Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID...
privilege escalationvia capdetection rulessetuid
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/network/command_and_control_cobalt_strike_default_teamserver_cert
Default Cobalt Strike Team Server Certificate | Prebuilt detection rules reference
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team...
cobalt striketeam serverdetection rulesdefaultcertificate
https://github.com/P4T12ICK/Sigma2SplunkAlert
GitHub - P4T12ICK/Sigma2SplunkAlert: Converts Sigma detection rules to a Splunk alert...
Converts Sigma detection rules to a Splunk alert configuration. - P4T12ICK/Sigma2SplunkAlert
detection rulesgithubconvertssigma
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/promotions/execution_endgame_exploit_prevented
Exploit - Prevented - Elastic Endgame | Prebuilt detection rules reference
Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional...
detection rulesexploitpreventedelasticendgame
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created
Google Workspace Custom Admin Role Created | Prebuilt detection rules reference
Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other...
google workspaceadmin roledetection rulescustomcreated
https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation
Privilege Escalation via GDB CAP_SYS_PTRACE | Prebuilt detection rules reference
Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In...
privilege escalationdetection rulesviagdbcap