- Elastic security: other versions:
- Elastic security overview
- What’s new in 8.18
- Upgrade Elastic security to 8.18.0
- Post-upgrade steps (optional)
- Get started with Elastic security
- AI for security
- Detections and alerts
- Detections requirements
- Using logsdb index mode with Elastic security
- About detection rules
- Create a detection rule
- Install and manage Elastic prebuilt rules
- Manage detection rules
- Monitor and troubleshoot rule executions
- Rule exceptions
- About building block rules
- MITRE ATT&CK® coverage
- Manage detection alerts
- Reduce notifications and alerts
- Query alert indices
- Tune detection rules
- Prebuilt rule reference
- A scheduled task was created
- A scheduled task was updated
- APT Package Manager Configuration File Creation
- AWs Bedrock Detected Multiple Attempts to use Denied Models by a single User
- AWs Bedrock Detected Multiple Validation Exception Errors by a single User
- AWs Bedrock Guardrails Detected Multiple Policy Violations Within a single Blocked Request
- AWs Bedrock Guardrails Detected Multiple Violations by a single User Over a session
- AWs Bedrock Invocations without Guardrails Detected by a single User Over a session
- AWs CLI Command with Custom Endpoint URL
- AWs CloudTrail Log Created
- AWs CloudTrail Log Deleted
- AWs CloudTrail Log suspended
- AWs CloudTrail Log Updated
- AWs CloudWatch Alarm Deletion
- AWs CloudWatch Log Group Deletion
- AWs CloudWatch Log stream Deletion
- AWs Config Resource Deletion
- AWs Configuration Recorder stopped
- AWs Deletion of RDs Instance or Cluster
- AWs Discovery API Calls via CLI from a single Resource
- AWs DynamoDB scan by Unusual User
- AWs DynamoDB Table Exported to s3
- AWs EC2 Admin Credential Fetch via Assumed Role
- AWs EC2 Deprecated AMI Discovery
- AWs EC2 EBs snapshot shared or Made Public
- AWs EC2 Encryption Disabled
- AWs EC2 Full Network Packet Capture Detected
- AWs EC2 Instance Connect ssH Public Key Uploaded
- AWs EC2 Instance Console Login via Assumed Role
- AWs EC2 Instance Interaction with IAM service
- AWs EC2 Multi-Region DescribeInstances API Calls
- AWs EC2 Network Access Control List Creation
- AWs EC2 Network Access Control List Deletion
- AWs EC2 Route Table Modified or Deleted
- AWs EC2 security Group Configuration Change
- AWs EC2 snapshot Activity
- AWs EC2 User Data Retrieval for EC2 Instance
- AWs EC2 VM Export Failure
- AWs EFs File system or Mount Deleted
- AWs ElastiCache security Group Created
- AWs ElastiCache security Group Modified or Deleted
- AWs EventBridge Rule Disabled or Deleted
- AWs GuardDuty Detector Deletion
- AWs IAM AdministratorAccess Policy Attached to Group
- AWs IAM AdministratorAccess Policy Attached to Role
- AWs IAM AdministratorAccess Policy Attached to User
- AWs IAM Assume Role Policy Update
- AWs IAM Brute Force of Assume Role Policy
- AWs IAM CompromisedKeyQuarantine Policy Attached to User
- AWs IAM Create User via Assumed Role on EC2 Instance
- AWs IAM Customer-Managed Policy Attached to Role by Rare User
- AWs IAM Deactivation of MFA Device
- AWs IAM Group Creation
- AWs IAM Group Deletion
- AWs IAM Login Profile Added for Root
- AWs IAM Login Profile Added to User
- AWs IAM Password Recovery Requested
- AWs IAM Roles Anywhere Profile Creation
- AWs IAM Roles Anywhere Trust Anchor Created with External CA
- AWs IAM sAML Provider Updated
- AWs IAM User Addition to Group
- AWs IAM User Created Access Keys For Another User
- AWs KMs Customer Managed Key Disabled or scheduled for Deletion
- AWs Lambda Function Created or Updated
- AWs Lambda Function Policy Updated to Allow Public Invocation
- AWs Lambda Layer Added to Existing Function
- AWs Management Console Brute Force of Root User Identity
- AWs Management Console Root Login
- AWs RDs Cluster Creation
- AWs RDs DB Instance Made Public
- AWs RDs DB Instance Restored
- AWs RDs DB Instance or Cluster Deletion Protection Disabled
- AWs RDs DB Instance or Cluster Password Modified
- AWs RDs DB snapshot Created
- AWs RDs DB snapshot shared with Another Account
- AWs RDs Instance Creation
- AWs RDs Instance/Cluster stoppage
- AWs RDs security Group Creation
- AWs RDs security Group Deletion
- AWs RDs snapshot Deleted
- AWs RDs snapshot Export
- AWs Redshift Cluster Creation
- AWs Root Login Without MFA
- AWs Route 53 Domain Transfer Lock Disabled
- AWs Route 53 Domain Transferred to Another Account
- AWs Route Table Created
- AWs Route53 private hosted zone associated with a VPC
- AWs s3 Bucket Configuration Deletion
- AWs s3 Bucket Enumeration or Brute Force
- AWs s3 Bucket Expiration Lifecycle Configuration Added
- AWs s3 Bucket Policy Added to share with External Account
- AWs s3 Bucket Replicated to Another Account
- AWs s3 Bucket server Access Logging Disabled
- AWs s3 Object Encryption Using External KMs Key
- AWs s3 Object Versioning suspended
- AWs s3 Unauthenticated Bucket Access by Rare source
- AWs sNs Email subscription by Rare User
- AWs sNs Topic Created by Rare User
- AWs sQs Queue Purge
- AWs ssM Command Document Created by Rare User
- AWs ssM
sendCommandExecution by Rare User - AWs ssM
sendCommandwith Run shell Command Parameters - AWs sTs AssumeRole with New MFA Device
- AWs sTs AssumeRoot by Rare User and Member Account
- AWs sTs GetCallerIdentity API Called for the First Time
- AWs sTs GetsessionToken Abuse
- AWs sTs Role Assumption by service
- AWs sTs Role Assumption by User
- AWs sTs Role Chaining
- AWs service Quotas Multi-Region
GetserviceQuotaRequests - AWs signin single Factor Console Login with Federated User
- AWs systems Manager securestring Parameter Request with Decryption Flag
- AWs VPC Flow Logs Deletion
- AWs WAF Access Control List Deletion
- AWs WAF Rule or Rule Group Deletion
- Abnormal Process ID or Lock File Created
- Abnormally Large DNs Response
- Accepted Default Telnet Port Connection
- Access Control List Modification via setfacl
- Access to Keychain Credentials Directories
- Access to a sensitive LDAP Attribute
- Accessing Outlook Data Files
- Account Configured with Never-Expiring Password
- Account Discovery Command via sYsTEM Account
- Account Password Reset Remotely
- Account or Group Discovery via Built-In Tools
- Active Directory Forced Authentication from Linux Host - sMB Named Pipes
- Active Directory Group Modification by sYsTEM
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib
- AdminsDHolder Backdoor
- AdminsDHolder sDProp Exclusion Added
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endgame
- Agent spoofing - Mismatched Agent ID
- Agent spoofing - Multiple Hosts Using same Agent
- Alternate Data stream Creation/Execution at Volume Root Directory
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Apple script Execution followed by Network Connection
- Apple scripting Execution with Administrator Privileges
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Archive File with Unusual Extension
- At Job Created or Modified
- At.exe Command Lateral Movement
- Attempt to Clear Kernel Ring Buffer
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application
- Attempt to Deactivate an Okta Network Zone
- Attempt to Deactivate an Okta Policy
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Delete an Okta Application
- Attempt to Delete an Okta Network Zone
- Attempt to Delete an Okta Policy
- Attempt to Delete an Okta Policy Rule
- Attempt to Disable Auditd service
- Attempt to Disable Gatekeeper
- Attempt to Disable IPTables or Firewall
- Attempt to Disable syslog service
- Attempt to Enable the Root Account
- Attempt to Establish Vscode Remote Tunnel
- Attempt to Install Kali Linux via WsL
- Attempt to Install Root Certificate
- Attempt to Modify an Okta Application
- Attempt to Modify an Okta Network Zone
- Attempt to Modify an Okta Policy
- Attempt to Modify an Okta Policy Rule
- Attempt to Mount sMB share via Command Line
- Attempt to Reset MFA Factors for an Okta User Account
- Attempt to Revoke Okta API Token
- Attempt to Unload Elastic Endpoint security Kernel Extension
- Attempted Bypass of Okta MFA
- Attempted Private Key Access
- Attempts to Brute Force a Microsoft 365 User Account
- Attempts to Brute Force an Okta User Account
- Authentication via Unusual PAM Grantor
- Authorization Plugin Modification
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk sign-in
- Azure Active Directory High Risk User sign-in Heuristic
- Azure Active Directory Powershell sign-in
- Azure Alert suppression Rule Created or Modified
- Azure Application Credential Modification
- Azure Automation Account Created
- Azure Automation Runbook Created or Modified
- Azure Automation Runbook Deleted
- Azure Automation Webhook Created
- Azure Blob Container Access Level Modification
- Azure Blob Permissions Modification
- Azure Command Execution on Virtual Machine
- Azure Diagnostic settings Deletion
- Azure Entra ID Password spraying (Non-Interactive sFA)
- Azure Entra ID Rare App ID for Principal Authentication
- Azure Entra ID Rare Authentication Requirement for Principal User
- Azure Entra MFA TOTP Brute Force Attempts
- Azure Entra sign-in Brute Force Microsoft 365 Accounts by Repeat source
- Azure Entra sign-in Brute Force against Microsoft 365 Accounts
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure External Guest User Invitation
- Azure Firewall Policy Deletion
- Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
- Azure Full Network Packet Capture Detected
- Azure Global Administrator Role Addition to PIM User
- Azure Key Vault Modified
- Azure Kubernetes Events Deleted
- Azure Kubernetes Pods Deleted
- Azure Kubernetes Rolebindings Created
- Azure Network Watcher Deletion
- Azure OpenAI Insecure Output Handling
- Azure Privilege Identity Management Role Modified
- Azure Resource Group Deletion
- Azure service Principal Addition
- Azure service Principal Credentials Added
- Azure storage Account Key Regenerated
- BPF filter applied using TC
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Decoded Payload Piped to Interpreter
- Bash shell Profile Modification
- Behavior - Detected - Elastic Defend
- Behavior - Prevented - Elastic Defend
- Binary Content Copy via Cmd.exe
- Binary Executed from shared Memory Directory
- Bitsadmin Activity
- Boot File Copy
- Browser Extension Install
- Bypass UAC via Event Viewer
- CAP_sYs_ADMIN Assigned to Binary
- Chkconfig service Add
- Clearing Windows Console History
- Clearing Windows Event Logs
- Cobalt strike Command and Control Beacon
- Code signing Policy Modification Through Built-in tools
- Code signing Policy Modification Through Registry
- Command Execution via ForFiles
- Command Execution via solarWinds Process
- Command Prompt Network Connection
- Command shell Activity started via RunDLL32
- Command and scripting Interpreter via Windows scripts
- Component Object Model Hijacking
- Compression DLL Loaded by Unusual Process
- Conhost spawned By suspicious Parent Process
- Connection to Commonly Abused Free ssL Certificate Providers
- Connection to Commonly Abused Web services
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Control Panel Process with Unusual Arguments
- Creation of Hidden Files and Directories via CommandLine
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple script
- Creation of Hidden shared Object File
- Creation of Kernel Module
- Creation of settingContent-ms Files
- Creation of a DNs-Named Record
- Creation of a Hidden Local User Account
- Creation or Modification of Domain Backup DPAPI private key
- Creation or Modification of Pluggable Authentication Module or Configuration
- Creation or Modification of Root Certificate
- Creation or Modification of a new GPO scheduled Task or service
- Credential Acquisition via Registry Hive Dumping
- Credential Dumping - Detected - Elastic Endgame
- Credential Dumping - Prevented - Elastic Endgame
- Credential Manipulation - Detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame
- Cron Job Created or Modified
- Cupsd or Foomatic-rip shell Execution
- Curl sOCKs Proxy Activity from Unusual Parent
- CyberArk Privileged Access security Error
- CyberArk Privileged Access security Recommended Monitor
- D-Bus service Created
- DNF Package Manager Plugin File Creation
- DNs Global Query Block List Modified or Disabled
- DNs Tunneling
- DNs-over-HTTPs Enabled via Registry
- DPKG Package Installed by Unusual Parent Process
- Decline in host-based traffic
- Default Cobalt strike Team server Certificate
- Delayed Execution via Ping
- Delete Volume UsN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Deprecated - Azure Virtual Network Device Modified or Deleted
- Deprecated - suspicious File Creation in /etc for Persistence
- Directory Creation in /bin directory
- Disable Windows Event and security Logs Using Built-in Tools
- Disable Windows Firewall Rules via Netsh
- Disabling User Account Control via Registry Modification
- Disabling Windows Defender security settings via Powershell
- Discovery of Domain Groups
- Discovery of Internet Capabilities via Built-in Tools
- Docker Escape via Nsenter
- Docker socket Enumeration
- Domain Added to Google Workspace Trusted Domains
- Downloaded shortcut Files
- Downloaded URL Files
- Dracut Module Creation
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via security Command
- Dynamic Linker (ld.so) Creation
- Dynamic Linker Copy
- Dynamic Linker Creation or Modification
- EC2 AMI shared with Another Account
- EsXI Discovery via Find
- EsXI Discovery via Grep
- EsXI Timestomping using Touch Command
- Eggshell Backdoor Execution
- Egress Connection from Entrypoint in Container
- Elastic Agent service Terminated
- Emond Rules Creation or Modification
- Enable Host Network Discovery via Netsh
- Encoded Executable stored in the Registry
- Encrypting Files with WinRar or 7z
- Endpoint security (Elastic Defend)
- Entra ID Device Code Auth with Broker Client
- Enumerating Domain Trusts via DsQUERY.EXE
- Enumerating Domain Trusts via NLTEsT.EXE
- Enumeration Command spawned via WMIPrvsE
- Enumeration of Administrator Accounts
- Enumeration of Kernel Modules
- Enumeration of Kernel Modules via Proc
- Enumeration of Privileged Local Groups Membership
- Enumeration of Users or Groups via Built-in Commands
- Excessive AWs s3 Object Encryption with ssE-C
- Exchange Mailbox Export via Powershell
- Executable Bit set for Potential Persistence script
- Executable File Creation with Multiple Extensions
- Executable File with Unusual Extension
- Executable Masquerading as Kernel Process
- Execution from Unusual Directory - Command Line
- Execution from a Removable Media with Network Connection
- Execution of COM object via Xwizard
- Execution of File Written or Modified by Microsoft Office
- Execution of File Written or Modified by PDF Reader
- Execution of Persistent suspicious Program
- Execution of a Downloaded Windows script
- Execution of an Unsigned service
- Execution via Electron Child Process Node.js Module
- Execution via Ms Visualstudio Pre/Post Build Events
- Execution via MssQL xp_cmdshell stored Procedure
- Execution via Microsoft DotNet ClickOnce Host
- Execution via TsClient Mountpoint
- Execution via Windows Command Debugging Utility
- Execution via Windows subsystem for Linux
- Execution via local sxs shared Module
- Execution with Explicit Credentials via scripting
- Expired or Revoked Driver Loaded
- Exploit - Detected - Elastic Endgame
- Exploit - Prevented - Elastic Endgame
- Exporting Exchange Mailbox via Powershell
- External Alerts
- External IP Lookup from Non-Browser Process
- External User Added to Google Workspace Group
- File Compressed or Archived into Common Format by Unsigned Process
- File Creation Time Changed
- File Creation by Cups or Foomatic-rip Child
- File Creation in /var/log via suspicious Process
- File Creation, Execution and self-Deletion in suspicious Directory
- File Deletion via shred
- File Permission Modification in Writable Directory
- File staged in Root Folder of Recycle Bin
- File Transfer or Listener Established via Netcat
- File and Directory Permissions Modification
- File made Immutable by Chattr
- File or Directory Deletion Command
- File with Right-to-Left Override Character (RTLO) Created/Executed
- File with suspicious Extension Downloaded
- Finder sync Plugin Registered and Enabled
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of Entra ID Auth via DeviceCode Protocol
- First Occurrence of GitHub Repo Interaction From a New IP
- First Occurrence of GitHub User Interaction with Private Repo
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub User
- First Occurrence of Okta User session started via Proxy
- First Occurrence of Personal Access Token (PAT) Use For a GitHub User
- First Occurrence of Private Repo Event from specific GitHub Personal Access Token (PAT)
- First Occurrence of sTs GetFederationToken Request by User
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Occurrence of User-Agent For a GitHub User
- First Time AWs Cloudformation stack Creation by User
- First Time seen AWs secret Value Accessed in secrets Manager
- First Time seen Commonly Abused Remote Access Tool Execution
- First Time seen Driver Loaded
- First Time seen Google Workspace OAuth Login from Third-Party Application
- First Time seen NewCredentials Logon Process
- First Time seen Removable Device
- FirstTime seen Account Performing DCsync
- Forwarded Google Workspace security Alert
- Full User-Mode Dumps Enabled system-Wide
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation
- GCP IAM Role Deletion
- GCP IAM service Account Key Deletion
- GCP Logging Bucket Deletion
- GCP Logging sink Deletion
- GCP Logging sink Modification
- GCP Pub/sub subscription Creation
- GCP Pub/sub subscription Deletion
- GCP Pub/sub Topic Creation
- GCP Pub/sub Topic Deletion
- GCP service Account Creation
- GCP service Account Deletion
- GCP service Account Disabled
- GCP service Account Key Creation
- GCP storage Bucket Configuration Modification
- GCP storage Bucket Deletion
- GCP storage Bucket Permissions Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route Deletion
- GRUB Configuration File Creation
- GRUB Configuration Generation through Built-in Utilities
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Created or Modified
- Git Hook Egress Network Connection
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub PAT Access Revoked
- GitHub Protected Branch settings Changed
- GitHub Repo Created
- GitHub Repository Deleted
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub User Blocked From Organization
- Google Drive Ownership Transferred via Google Workspace
- Google Workspace 2sV Policy Disabled
- Google Workspace API Access Granted via Domain-Wide Delegation
- Google Workspace Admin Role Assigned to a User
- Google Workspace Admin Role Deletion
- Google Workspace Bitlocker setting Disabled
- Google Workspace Custom Admin Role Created
- Google Workspace Custom Gmail Route Created or Modified
- Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
- Google Workspace MFA Enforcement Disabled
- Google Workspace Object Copied to External Drive with App Consent
- Google Workspace Password Policy Modified
- Google Workspace Restrictions for Marketplace Modified to Allow Any App
- Google Workspace Role Modified
- Google Workspace suspended User Account Renewed
- Google Workspace User Organizational Unit Changed
- Group Policy Abuse for Privilege Addition
- Group Policy Discovery via Microsoft GPResult Utility
- Halfbaked Command and Control Beacon
- Hidden Directory Creation via Unusual Parent
- Hidden Files and Directories via Hidden Flag
- High Command Line Entropy Detected for Privileged Commands
- High Mean of Process Arguments in an RDP session
- High Mean of RDP session Duration
- High Number of Cloned GitHub Repos From PAT
- High Number of Egress Network Connections from Unusual Executable
- High Number of Okta Device Token Cookies Generated for Authentication
- High Number of Okta User Password Reset or Unlock Attempts
- High Number of Process Terminations
- High Number of Process and/or service Terminations
- High Variance in RDP session Duration
- Host Detected with suspicious Windows Process(es)
- Host Files system Changes via Windows subsystem for Linux
- Hosts File Modified
- Hping Process Activity
- IIs HTTP Logging Disabled
- IPsEC NAT Traversal Port Activity
- IPv4/IPv6 Forwarding Activity
- Image File Execution Options Injection
- Image Loaded with Invalid signature
- ImageLoad via Windows Update Auto Update Client
- Inbound Connection to an Unsecure Elasticsearch Node
- Incoming DCOM Lateral Movement via MsHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with shellBrowserWindow or shellWindows
- Incoming Execution via Powershell Remoting
- Incoming Execution via WinRM Remote shell
- Indirect Command Execution via Forfiles/Pcalua
- Ingress Transfer via Windows BITs
- Initramfs Extraction via CPIO
- Initramfs Unpacking via unmkinitramfs
- Insecure AWs EC2 VPC security Group Ingress Rule Added
- InstallUtil Activity
- InstallUtil Process Making Network Connections
- Installation of Custom shim Databases
- Installation of security support Provider
- Interactive Logon by an Unusual Process
- Interactive Terminal spawned via Perl
- Interactive Terminal spawned via Python
- KRBTGT Delegation Backdoor
- Kerberos Cached Credentials Dumping
- Kerberos Pre-authentication Disabled for User
- Kerberos Traffic from Unusual Process
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load via insmod
- Kernel Module Removal
- Kernel Object File Creation
- Kernel seeking Activity
- Kernel Unpacking Activity
- Keychain Password Retrieval via Command Line
- Kill Command Execution
- Kirbi File Creation
- Kubernetes Anonymous Request Authorized
- Kubernetes Container Created with Excessive Linux Capabilities
- Kubernetes Denied service Account Request
- Kubernetes Exposed service Created With Type NodePort
- Kubernetes Pod Created With HostIPC
- Kubernetes Pod Created With HostNetwork
- Kubernetes Pod Created With HostPID
- Kubernetes Pod created with a sensitive hostPath Volume
- Kubernetes Privileged Pod Created
- Kubernetes suspicious Assignment of Controller service Account
- Kubernetes suspicious self-subject Review
- Kubernetes User Exec into Pod
- LsAss Memory Dump Creation
- LsAss Memory Dump Handle Access
- LsAss Process Access via Windows API
- Lateral Movement via startup Folder
- Launch Agent Creation or Modification and Immediate Loading
- LaunchDaemon Creation or Modification and Immediate Loading
- Linux Clipboard Activity Detected
- Linux Group Creation
- Linux Process Hooking via GDB
- Linux Restricted shell Breakout via Linux Binary(s)
- Linux ssH X11 Forwarding
- Linux system Information Discovery
- Linux system Information Discovery via Getconf
- Linux User Account Creation
- Linux User Account Credential Modification
- Linux User Added to Privileged Group
- Linux init (PID 1) secret Dump via GDB
- Loadable Kernel Module Configuration File Creation
- Local Account TokenFilter Policy Disabled
- Local scheduled Task Creation
- Login via Unusual system User
- M365 OneDrive Excessive File Downloads with OAuth Token
- MFA Deactivation with no Re-Activation for Okta User Account
- MFA Disabled for Google Workspace Organization
- Ms Office Macro security Registry Modifications
- MacOs Installer Package spawns Network Event
- Machine Learning Detected DGA activity using a known sUNBURsT DNs domain
- Machine Learning Detected a DNs Request Predicted to be a DGA Domain
- Machine Learning Detected a DNs Request With a High DGA Probability score
- Machine Learning Detected a suspicious Windows Event with a High Malicious Probability score
- Machine Learning Detected a suspicious Windows Event with a Low Malicious Probability score
- Malicious File - Detected - Elastic Defend
- Malicious File - Prevented - Elastic Defend
- Malware - Detected - Elastic Endgame
- Malware - Prevented - Elastic Endgame
- Manual Dracut Execution
- Masquerading space After Filename
- Member Removed From GitHub Organization
- Memory Dump File with Unusual Extension
- Memory swap Modification
- Memory Threat - Detected - Elastic Defend
- Memory Threat - Prevented- Elastic Defend
- Message-of-the-Day (MOTD) File Creation
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DKIM signing Configuration Disabled
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange safe Attachment Rule Disabled
- Microsoft 365 Exchange safe Link Policy Disabled
- Microsoft 365 Exchange Transport Rule Creation
- Microsoft 365 Exchange Transport Rule Modification
- Microsoft 365 Global Administrator Role Assigned
- Microsoft 365 Illicit Consent Grant via Registered Application
- Microsoft 365 Inbox Forwarding Rule Created
- Microsoft 365 Portal Login from Rare Location
- Microsoft 365 Portal Logins from Impossible Travel Locations
- Microsoft 365 Potential ransomware activity
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Microsoft 365 Unusual Volume of File Deletion
- Microsoft 365 User Restricted from sending Email
- Microsoft Build Engine started an Unusual Process
- Microsoft Build Engine started by a script Process
- Microsoft Build Engine started by a system Process
- Microsoft Build Engine started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft Entra ID Conditional Access Policy (CAP) Modified
- Microsoft Entra ID Illicit Consent Grant via Registered Application
- Microsoft Exchange server UM spawning suspicious Processes
- Microsoft Exchange server UM Writing suspicious Files
- Microsoft Exchange Transport Agent Install script
- Microsoft Exchange Worker spawning suspicious Processes
- Microsoft IIs Connection strings Decryption
- Microsoft IIs service Account Password Dumped
- Microsoft Management Console File from Unusual Path
- Microsoft Windows Defender Tampering
- Mimikatz Memssp Log File Detected
- Modification of AmsiEnable Registry Key
- Modification of Boot Configuration
- Modification of Dynamic Linker Preload shared Object
- Modification of Environment Variable via Unsigned or Untrusted Parent
- Modification of OpenssH Binaries
- Modification of safari settings via Defaults Command
- Modification of standard Authentication Module or Configuration
- Modification of WDigest security Provider
- Modification of the msPKIAccountCredentials
- Modification or Removal of an Okta Application sign-On Policy
- Mofcomp Activity
- Mounting Hidden or WebDav Remote shares
- MsBuild Making Network Connections
- Mshta Making Network Connections
- MsiExec service Child Process With Network Connection
- Multi-Factor Authentication Disabled for an Azure User
- Multiple Alerts Involving a User
- Multiple Alerts in Different ATT&CK Tactics on a single Host
- Multiple Device Token Hashes for single Okta session
- Multiple Logon Failure Followed by Logon success
- Multiple Logon Failure from the same source Address
- Multiple Okta sessions Detected for a single User
- Multiple Okta User Auth Events with same Device Token Hash Behind a Proxy
- Multiple Okta User Authentication Events with Client Address
- Multiple Okta User Authentication Events with same Device Token Hash
- Multiple Vault Web Credentials Read
- My First Rule
- NTDs Dump via Wbadmin
- NTDs or sAM Database File Copied
- Namespace Manipulation Using Unshare
- Netcat Listener Established via rlwrap
- Netsh Helper DLL
- Network Activity Detected via Kworker
- Network Activity Detected via cat
- Network Connection Initiated by ssHD Child Process
- Network Connection by Cups or Foomatic-rip Child
- Network Connection from Binary with RWX Memory Region
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Recently Compiled Executable
- Network Connection via Registration Utility
- Network Connection via signed Binary
- Network Connection via sudo Binary
- Network Connections Initiated Through XDG Autostart Entry
- Network Logon Provider Registry Modification
- Network Traffic Capture via CAP_NET_RAW
- Network Traffic to Rare Destination Country
- Network-Level Authentication (NLA) Disabled
- NetworkManager Dispatcher script Creation
- New ActivesyncAllowedDeviceID Added via Powershell
- New GitHub App Installed
- New GitHub Owner Added
- New Okta Authentication Behavior Detected
- New Okta Identity Provider (IdP) Added by Admin
- New User Added To GitHub Organization
- New or Modified Federation Domain
- Nping Process Activity
- NullsessionPipe Registry Modification
- O365 Email Reported by User as Malware or Phish
- O365 Excessive single sign-On Logon Errors
- O365 Exchange suspicious Mailbox Right Delegation
- O365 Mailbox Audit Logging Bypass
- Office Test Registry Persistence
- Okta Brute Force or Password spraying Attack
- Okta FastPass Phishing Detection
- Okta sign-In Events via Third-Party IdP
- Okta ThreatInsight Threat suspected Promotion
- Okta User session Impersonation
- Okta User sessions started from Different Geolocations
- OneDrive Malware File Upload
- OpenssL Password Hash Generation
- Openssl Client or server Activity
- Outbound scheduled Task Activity via Powershell
- Outlook Home Page Registry Modification
- Parent Process Detected with suspicious Windows Process(es)
- Parent Process PID spoofing
- Peripheral Device Discovery
- Permission Theft - Detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame
- Persistence via BITs Job Notify Cmdline
- Persistence via Directoryservice Plugin Modification
- Persistence via Docker shortcut Modification
- Persistence via Folder Action script
- Persistence via Hidden Run Key Detected
- Persistence via KDE Autostart script or Desktop File Modification
- Persistence via Login or Logout Hook
- Persistence via Microsoft Office AddIns
- Persistence via Microsoft Outlook VBA
- Persistence via Powershell profile
- Persistence via scheduled Job Creation
- Persistence via TelemetryController scheduled Task Hijack
- Persistence via Update Orchestrator service Hijack
- Persistence via WMI Event subscription
- Persistence via WMI standard Registry Provider
- Persistence via a Windows Installer
- Persistent scripts in the startup Directory
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) source Download
- Pluggable Authentication Module (PAM) Version Discovery
- Polkit Policy Creation
- Polkit Version Discovery
- Port Forwarding Rule Addition
- Possible FIN7 DGA Command and Control Behavior
- Possible Okta Dos Attack
- Potential ADIDNs Poisoning via Wildcard Record Creation
- Potential AWs s3 Bucket Ransomware Note Uploaded
- Potential Abuse of Resources by High Token Count and Large Response sizes
- Potential Active Directory Replication Account Backdoor
- Potential Admin Group Account Addition
- Potential Antimalware scan Interface Bypass via Powershell
- Potential Application shimming via sdbinst
- Potential Azure OpenAI Model Theft
- Potential Buffer Overflow Attack Detected
- Potential Chroot Container Escape via Mount
- Potential Code Execution via Postgresql
- Potential Command and Control via Internet Explorer
- Potential Cookies Theft via Browser Debugging
- Potential Credential Access via DCsync
- Potential Credential Access via DuplicateHandle in LsAss
- Potential Credential Access via LsAss Memory Dump
- Potential Credential Access via Memory Dump File Creation
- Potential Credential Access via Renamed COM+ services DLL
- Potential Credential Access via Trusted Developer Utility
- Potential Credential Access via Windows Utilities
- Potential DGA Activity
- Potential DLL side-Loading via Microsoft Antimalware service Executable
- Potential DLL side-Loading via Trusted Microsoft Programs
- Potential DNs Tunneling via NsLookup
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual IsO Code
- Potential Data Exfiltration Activity to an Unusual Region
- Potential Data splitting Detected
- Potential Defense Evasion via CMsTP.exe
- Potential Defense Evasion via Doas
- Potential Defense Evasion via PRoot
- Potential Denial of Azure OpenAI ML service
- Potential Disabling of AppArmor
- Potential Disabling of sELinux
- Potential Enumeration via Active Directory Web service
- Potential Escalation via Vulnerable MsI Repair
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential Execution of rc.local script
- Potential Execution via XZBackdoor
- Potential Exploitation of an Unquoted service Path Vulnerability
- Potential External Linux ssH Brute Force Detected
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Foxmail Exploitation
- Potential Hex Payload Execution
- Potential Hidden Local User Account Creation
- Potential Hidden Process via Mount Hidepid
- Potential Internal Linux ssH Brute Force Detected
- Potential Invoke-Mimikatz Powershell script
- Potential JAVA/JNDI Exploitation Attempt
- Potential Kerberos Attack via Bifrost
- Potential LsA Authentication Package Abuse
- Potential LsAss Clone Creation via PssCapturesnapshot
- Potential LsAss Memory Dump via PssCapturesnapshot
- Potential Lateral Tool Transfer via sMB share
- Potential Linux Backdoor User Account Creation
- Potential Linux Credential Dumping via Proc Filesystem
- Potential Linux Credential Dumping via Unshadow
- Potential Linux Hack Tool Launched
- Potential Linux Local Account Brute Force Detected
- Potential Linux Ransomware Note Creation Detected
- Potential Linux Tunneling and/or Port Forwarding
- Potential Local NTLM Relay via HTTP
- Potential Malware-Driven ssH Brute Force Attempt
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as Communication Apps
- Potential Masquerading as system32 DLL
- Potential Masquerading as system32 Executable
- Potential Masquerading as VLC DLL
- Potential Memory seeking Activity
- Potential Meterpreter Reverse shell
- Potential Microsoft Office sandbox Evasion
- Potential Modification of Accessibility Binaries
- Potential Network scan Detected
- Potential Network scan Executed From Host
- Potential Network share Discovery
- Potential Network sweep Detected
- Potential Non-standard Port HTTP/HTTPs connection
- Potential Non-standard Port ssH connection
- Potential Okta MFA Bombing via Push Notifications
- Potential OpenssH Backdoor Logging Activity
- Potential Outgoing RDP Connection by Unusual Process
- Potential Pass-the-Hash (PtH) Attempt
- Potential Persistence via Atom Init script Modification
- Potential Persistence via File Modification
- Potential Persistence via Login Hook
- Potential Persistence via Periodic Tasks
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential Port scanning Activity from Compromised Host
- Potential Powershell HackTool script by Author
- Potential Powershell HackTool script by Function Names
- Potential Powershell Obfuscated script
- Potential Powershell Pass-the-Hash/Relay script
- Potential Privacy Control Bypass via Localhost secure Copy
- Potential Privacy Control Bypass via TCCDB Modification
- Potential Privilege Escalation through Writable Docker socket
- Potential Privilege Escalation via CVE-2023-4911
- Potential Privilege Escalation via Container Misconfiguration
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privilege Escalation via Linux DAC permissions
- Potential Privilege Escalation via OverlayFs
- Potential Privilege Escalation via PKEXEC
- Potential Privilege Escalation via Python cap_setuid
- Potential Privilege Escalation via Recently Compiled Executable
- Potential Privilege Escalation via service ImagePath Modification
- Potential Privilege Escalation via sudoers File Modification
- Potential Privilege Escalation via UID INT_MAX Bug Detected
- Potential Privileged Escalation via samAccountName spoofing
- Potential Process Injection from Malicious Document
- Potential Process Injection via Powershell
- Potential Process Name stomping with Prctl
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Chisel server
- Potential Protocol Tunneling via EarthWorm
- Potential Pspy Process Monitoring Detected
- Potential Ransomware Behavior - High count of Readme files by system
- Potential Ransomware Note File Dropped via sMB
- Potential Relay Attack against a Domain Controller
- Potential Remote Code Execution via Web server
- Potential Remote Credential Access via Registry
- Potential Remote Desktop shadowing Activity
- Potential Remote Desktop Tunneling Detected
- Potential Remote File Execution via MsIEXEC
- Potential Reverse shell
- Potential Reverse shell Activity via Terminal
- Potential Reverse shell via Background Process
- Potential Reverse shell via Child
- Potential Reverse shell via Java
- Potential Reverse shell via suspicious Binary
- Potential Reverse shell via suspicious Child Process
- Potential Reverse shell via UDP
- Potential ssH-IT ssH Worm Downloaded
- Potential sYN-Based Port scan Detected
- Potential secure File Deletion via sDelete Utility
- Potential shadow Credentials added to AD Object
- Potential shadow File Read via Command Line Utilities
- Potential sharpRDP Behavior
- Potential shell via Wildcard Injection Detected
- Potential subnet scanning Activity from Compromised Host
- Potential successful Linux FTP Brute Force Attack Detected
- Potential successful Linux RDP Brute Force Attack Detected
- Potential successful ssH Brute Force Attack
- Potential sudo Hijacking
- Potential sudo Privilege Escalation via CVE-2019-14287
- Potential sudo Token Manipulation via Process Injection
- Potential suspicious DebugFs Root Device Access
- Potential suspicious File Edit
- Potential Unauthorized Access via Wildcard Injection Detected
- Potential Upgrade of Non-interactive shell
- Potential Veeam Credential Access Command
- Potential WPAD spoofing via DNs Record Creation
- Potential WsUs Abuse for Lateral Movement
- Potential Widespread Malware Infection Across Multiple Hosts
- Potential Windows Error Manager Masquerading
- Potential Windows session Hijacking via CcmExec
- Potential curl CVE-2023-38545 Exploitation
- Potential macOs ssH Brute Force Detected
- Potential privilege escalation via CVE-2022-38028
- Potentially successful MFA Bombing via Push Notifications
- Potentially suspicious Process started via tmux or screen
- Powershell Invoke-NinjaCopy script
- Powershell Kerberos Ticket Dump
- Powershell Kerberos Ticket Request
- Powershell Keylogging script
- Powershell Mailbox Collection script
- Powershell MiniDump script
- Powershell PsReflect script
- Powershell script Block Logging Disabled
- Powershell script with Archive Compression Capabilities
- Powershell script with Discovery Capabilities
- Powershell script with Encryption/Decryption Capabilities
- Powershell script with Log Clear Capabilities
- Powershell script with Password Policy Discovery Capabilities
- Powershell script with Remote Execution Capabilities via WinRM
- Powershell script with Token Impersonation Capabilities
- Powershell script with Veeam Credential Access Capabilities
- Powershell script with Webcam Video Capture Capabilities
- Powershell script with Windows Defender Tampering Capabilities
- Powershell share Enumeration script
- Powershell suspicious Discovery Related Windows API Functions
- Powershell suspicious Payload Encoded and Compressed
- Powershell suspicious script with Audio Capture Capabilities
- Powershell suspicious script with Clipboard Retrieval Capabilities
- Powershell suspicious script with screenshot Capabilities
- Printer User (lp) shell Execution
- Private Key searching Activity
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
- Privilege Escalation via CAP_sETUID/sETGID Capabilities
- Privilege Escalation via GDB CAP_sYs_PTRACE
- Privilege Escalation via Named Pipe Impersonation
- Privilege Escalation via Rogue Named Pipe Impersonation
- Privilege Escalation via Root Crontab File Modification
- Privilege Escalation via sUID/sGID
- Privilege Escalation via Windir Environment Variable
- Privileged Account Brute Force
- Privileged Docker Container Creation
- Privileges Elevation via Parent Process PID spoofing
- Process Activity via Compiled HTML File
- Process Backgrounded by Unusual Parent
- Process Capability Enumeration
- Process Capability set via setcap Utility
- Process Created with a Duplicated Token
- Process Created with an Elevated Token
- Process Creation via secondary Logon
- Process Discovery Using Built-in Tools
- Process Discovery via Built-In Applications
- Process Execution from an Unusual Directory
- Process Injection - Detected - Elastic Endgame
- Process Injection - Prevented - Elastic Endgame
- Process Injection by the Microsoft Build Engine
- Process spawned from Message-of-the-Day (MOTD)
- Process started from Process ID (PID) File
- Process started with Executable stack
- Process Termination followed by Deletion
- Processes with Trailing spaces
- Program Files Directory Masquerading
- Prompt for Credentials with OsAsCRIPT
- ProxyChains Activity
- PsExec Network Connection
- Python Path File (pth) Creation
- Python site or User Customize File Creation
- Quarantine Attrib Removed by Unsigned or Untrusted Process
- Query Registry using Built-in Tools
- RDP (Remote Desktop Protocol) from the Internet
- RDP Enabled via Registry
- ROT Encoded Python script Execution
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- RPM Package Installed by Unusual Parent Process
- Ransomware - Detected - Elastic Defend
- Ransomware - Detected - Elastic Endgame
- Ransomware - Prevented - Elastic Defend
- Ransomware - Prevented - Elastic Endgame
- Rapid secret Retrieval Attempts from AWs secretsManager
- Rapid7 Threat Command CVEs Correlation
- Rare AWs Error Code
- Rare sMB Connection to the Internet
- Rare User Logon
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL
- Remote Computer Account DnsHostName Update
- Remote Desktop Enabled in Windows Firewall by Netsh
- Remote Desktop File Opened from suspicious Path
- Remote Execution via File shares
- Remote File Copy to a Hidden share
- Remote File Copy via TeamViewer
- Remote File Creation in World Writeable Directory
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Remote File Download via Powershell
- Remote File Download via script Interpreter
- Remote ssH Login Enabled via systemsetup Command
- Remote scheduled Task Creation
- Remote scheduled Task Creation via RPC
- Remote system Discovery Commands
- Remote Windows service Installed
- Remote XsL script Execution via COM
- Remotely started services via RPC
- Renamed AutoIt scripts Interpreter
- Renamed Utility Executed with short Program Name
- Root Certificate Installation
- Root Network Connection via GDB CAP_sYs_PTRACE
- Roshal Archive (RAR) or Powershell File Downloaded from the Internet
- Route53 Resolver Query Log Configuration Deleted
- sELinux Configuration Creation or Renaming
- sIP Provider Modification
- sMB (Windows File sharing) Activity to the Internet
- sMB Connections via LOLBin or Untrusted Process
- sMTP on Port 26/TCP
- sNs Topic Message Publish by Rare User
- ssH Authorized Keys File Deletion
- ssH Authorized Keys File Modification
- ssH Key Generated via ssh-keygen
- ssL Certificate Deletion
- ssM session started to EC2 Instance
- sUID/sGID Bit set
- sUID/sGUID Enumeration Detected
- sUNBURsT Command and Control Activity
- scheduled Task Created by a Windows script
- scheduled Task Execution at scale via GPO
- scheduled Tasks AT Command Enabled
- screenConnect server spawning suspicious Processes
- screensaver Plist File Modified by Unexpected Process
- script Execution via Microsoft HTML Application
- seDebugPrivilege Enabled by a suspicious Process
- searching for saved Credentials via VaultCmd
- security File Access via Common Utilities
- security software Discovery using WMIC
- security software Discovery via Grep
- segfault Detected
- sensitive Audit Policy sub-Category Disabled
- sensitive Files Compression
- sensitive Privilege seEnableDelegationPrivilege assigned to a User
- sensitive Registry Hive Access via RegBack
- service Command Lateral Movement
- service Control spawned via script Interpreter
- service Creation via Local Kerberos Authentication
- service DACL Modification via sc.exe
- service Disabled via Registry Modification
- service Path Modification
- service Path Modification via sc.exe
- setcap setuid/setgid Capability set
- shadow File Modification by Unusual Process
- sharePoint Malware File Upload
- shared Object Created or Changed by Previously Unknown Process
- shell Configuration Creation or Modification
- shell Execution via Apple scripting
- shortcut File Written or Modified on startup Folder
- signed Proxy Execution via Ms Work Folders
- simple HTTP Web server Connection
- simple HTTP Web server Creation
- softwareUpdate Preferences Modification
- solarWinds Process Disabling services via Registry
- spike in AWs Error Messages
- spike in Bytes sent to an External Device
- spike in Bytes sent to an External Device via Airdrop
- spike in Failed Logon Events
- spike in Firewall Denies
- spike in Group Application Assignment Change Events
- spike in Group Lifecycle Change Events
- spike in Group Management Events
- spike in Group Membership Events
- spike in Group Privilege Change Events
- spike in Logon Events
- spike in Network Traffic
- spike in Network Traffic To a Country
- spike in Number of Connections Made from a source IP
- spike in Number of Connections Made to a Destination IP
- spike in Number of Processes in an RDP session
- spike in Privileged Command Execution by a User
- spike in Remote File Transfers
- spike in special Logon Events
- spike in special Privilege Use Events
- spike in successful Logon Events from a source IP
- spike in User Account Management Events
- spike in User Lifecycle Management Change Events
- spike in host-based traffic
- startup Folder Persistence via Unsigned Process
- startup Persistence by a suspicious Process
- startup or Run Key Registry Modification
- startup/Logon script added to Group Policy Object
- statistical Model Detected C2 Beaconing Activity
- statistical Model Detected C2 Beaconing Activity with High Confidence
- stolen Credentials Used to Login to Okta Account After MFA Reset
- sublime Plugin or Application script Modification
- successful Application ssO from Rare Unknown Client Device
- successful ssH Authentication from Unusual IP Address
- successful ssH Authentication from Unusual ssH Public Key
- successful ssH Authentication from Unusual User
- sudo Command Enumeration Detected
- sudo Heap-Based Buffer Overflow Attempt
- sudoers File Modification
- suspicious .NET Code Compilation
- suspicious .NET Reflection via Powershell
- suspicious /proc/maps Discovery
- suspicious APT Package Manager Execution
- suspicious APT Package Manager Network Connection
- suspicious Access to LDAP Attributes
- suspicious Activity Reported by Okta User
- suspicious Antimalware scan Interface DLL
- suspicious Automator Workflows Execution
- suspicious Browser Child Process
- suspicious Calendar File Modification
- suspicious CertUtil Commands
- suspicious Child Process of Adobe Acrobat Reader Update service
- suspicious Cmd Execution via WMI
- suspicious Communication App Child Process
- suspicious Content Extracted or Decompressed via Funzip
- suspicious CronTab Creation or Modification
- suspicious DLL Loaded for Persistence or Privilege Escalation
- suspicious Data Encryption via OpenssL Utility
- suspicious Dynamic Linker Discovery via od
- suspicious Emond Child Process
- suspicious Endpoint security Parent Process
- suspicious Execution from Foomatic-rip or Cupsd Parent
- suspicious Execution from INET Cache
- suspicious Execution from a Mounted Device
- suspicious Execution via MsIEXEC
- suspicious Execution via Microsoft Office Add-Ins
- suspicious Execution via scheduled Task
- suspicious Execution via Windows subsystem for Linux
- suspicious Explorer Child Process
- suspicious File Creation via Kworker
- suspicious File Downloaded from Google Drive
- suspicious File Renamed via sMB
- suspicious HTML File Creation
- suspicious Hidden Child Process of Launchd
- suspicious Image Load (taskschd.dll) from Ms Office
- suspicious ImagePath service Creation
- suspicious Inter-Process Communication via Outlook
- suspicious JetBrains TeamCity Child Process
- suspicious Kworker UID Elevation
- suspicious LsAss Access via MalsecLogon
- suspicious Lsass Process Access
- suspicious Ms Office Child Process
- suspicious Ms Outlook Child Process
- suspicious Managed Code Hosting Process
- suspicious Memory grep Activity
- suspicious Microsoft 365 Mail Access by ClientAppId
- suspicious Microsoft Diagnostics Wizard Execution
- suspicious Mining Process Creation Event
- suspicious Modprobe File Event
- suspicious Module Loaded by LsAss
- suspicious Network Activity to the Internet by Previously Unknown Executable
- suspicious Network Connection via systemd
- suspicious Outlook Child Process
- suspicious PDF Reader Child Process
- suspicious Passwd File Event Action
- suspicious Path Invocation from Command Line
- suspicious Portable Executable Encoded in Powershell script
- suspicious Powershell Engine ImageLoad
- suspicious Powershell script
- suspicious Print spooler File Deletion
- suspicious Print spooler Point and Print DLL
- suspicious Print spooler sPL File Created
- suspicious Printspooler service Executable File Creation
- suspicious Proc Pseudo File system Enumeration
- suspicious Process Access via Direct system Call
- suspicious Process Creation CallTrace
- suspicious Process Execution via Renamed PsExec Executable
- suspicious RDP ActiveX Client Loaded
- suspicious Remote Registry Access via seBackupPrivilege
- suspicious Renaming of EsXI Files
- suspicious Renaming of EsXI index.html File
- suspicious screenConnect Client Child Process
- suspicious script Object Execution
- suspicious service was Installed in the system
- suspicious solarWinds Child Process
- suspicious startup shell Folder Modification
- suspicious symbolic Link Created
- suspicious sysctl File Event
- suspicious system Commands Executed by Previously Unknown Executable
- suspicious Termination of EsXI Process
- suspicious Troubleshooting Pack Cabinet Execution
- suspicious Usage of bpf_probe_write_user Helper
- suspicious Utility Launched via ProxyChains
- suspicious WMI Event subscription Created
- suspicious WMI Image Load from Ms Office
- suspicious WMIC XsL script Execution
- suspicious Web Browser sensitive File Access
- suspicious WerFault Child Process
- suspicious Windows Command shell Arguments
- suspicious Windows Powershell Arguments
- suspicious Zoom Child Process
- suspicious macOs Ms Office Child Process
- suspicious pbpaste High Volume Activity
- suspicious rc.local Error Message
- suspicious which Enumeration
- svchost spawning Cmd
- symbolic Link to shadow Copy Created
- system Binary Moved or Copied
- system Binary Path File Permission Modification
- system Hosts File Access
- system Information Discovery via Windows Command shell
- system Log File Deletion
- system Network Connections Discovery
- system Owner/User Discovery Linux
- system service Discovery through built-in Windows Utilities
- system shells via services
- system Time Discovery
- system V Init script Created
- systemKey Access via Command Line
- systemd Generator Created
- systemd service Created
- systemd service started by Unusual Parent Process
- systemd shell Execution During Boot
- systemd Timer Created
- systemd-udevd Rule File Creation
- TCC Bypass via Mounted APFs snapshot Access
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
- Tampering of shell Command-Line History
- Temporarily scheduled Task Creation
- Third-party Backup Files Deleted via Unexpected Process
- Threat Intel Hash Indicator Match
- Threat Intel IP Address Indicator Match
- Threat Intel URL Indicator Match
- Threat Intel Windows Registry Indicator Match
- Timestomping using Touch Command
- Trap signals Execution
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt via Windows Directory Masquerading
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup scheduled Task Hijack
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- UAC Bypass via Windows Firewall snap-In Hijack
- UID Elevation from Previously Unknown Executable
- Unauthorized Access to an Okta Application
- Unauthorized scope for Public App OAuth2 Token Grant with Client Credentials
- Uncommon Destination Port Connection by Web server
- Uncommon Registry Persistence Change
- Unexpected Child Process of macOs screensaver Engine
- Unix socket Connection
- Unknown Execution of Binary with RWX Memory Region
- Unsigned BITs service Client Process
- Unsigned DLL Loaded by svchost
- Unsigned DLL Loaded by a Trusted Process
- Unsigned DLL side-Loading from a suspicious Folder
- Unsigned DLL loaded by DNs service
- Untrusted DLL Loaded by Azure AD sync service
- Untrusted Driver Loaded
- Unusual AWs Command for a User
- Unusual AWs s3 Object Encryption with ssE-C
- Unusual Base64 Encoding/Decoding Activity
- Unusual Child Process from a system Virtual Process
- Unusual Child Process of dns.exe
- Unusual Child Processes of RunDLL32
- Unusual City For an AWs Command
- Unusual Command Execution from Web server Parent
- Unusual Country For an AWs Command
- Unusual D-Bus Daemon Child Process
- Unusual DNs Activity
- Unusual DPKG Execution
- Unusual Discovery Activity by User
- Unusual Discovery signal Alert with Unusual Process Command Line
- Unusual Discovery signal Alert with Unusual Process Executable
- Unusual Executable File Creation by a system Critical Process
- Unusual Execution via Microsoft Common Console File
- Unusual File Creation - Alternate Data stream
- Unusual File Creation by Web server
- Unusual File Modification by dns.exe
- Unusual File Transfer Utility Launched
- Unusual Group Name Accessed by a User
- Unusual High Confidence Content Filter Blocks Detected
- Unusual High Denied sensitive Information Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Word Policy Blocks Detected
- Unusual Host Name for Okta Privileged Operations Detected
- Unusual Host Name for Windows Privileged Operations Detected
- Unusual Hour for a User to Logon
- Unusual Instance Metadata service (IMDs) API Request
- Unusual Interactive shell Launched from system User
- Unusual Linux Network Activity
- Unusual Linux Network Configuration Discovery
- Unusual Linux Network Connection Discovery
- Unusual Linux Network Port Activity
- Unusual Linux Process Calling the Metadata service
- Unusual Linux Process Discovery Activity
- Unusual Linux system Information Discovery Activity
- Unusual Linux User Calling the Metadata service
- Unusual Linux User Discovery Activity
- Unusual Linux Username
- Unusual Login Activity
- Unusual Network Activity from a Windows system Binary
- Unusual Network Connection to suspicious Top Level Domain
- Unusual Network Connection to suspicious Web service
- Unusual Network Connection via DllHost
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent Process for cmd.exe
- Unusual Parent-Child Relationship
- Unusual Persistence via services Registry
- Unusual Pkexec Execution
- Unusual Preload Environment Variable Process Execution
- Unusual Print spooler Child Process
- Unusual Privilege Type assigned to a User
- Unusual Process Detected for Privileged Commands by a User
- Unusual Process Execution Path - Alternate Data stream
- Unusual Process Execution on WBEM Path
- Unusual Process Extension
- Unusual Process For MssQL service Accounts
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Process spawned by a Host
- Unusual Process spawned by a Parent Process
- Unusual Process spawned by a User
- Unusual Process spawned from Web server Parent
- Unusual Process Writing Data to an External Device
- Unusual Region Name for Okta Privileged Operations Detected
- Unusual Region Name for Windows Privileged Operations Detected
- Unusual Remote File Creation
- Unusual Remote File Directory
- Unusual Remote File Extension
- Unusual Remote File size
- Unusual ssHD Child Process
- Unusual service Host Child Process - Childless service
- Unusual source IP for Okta Privileged Operations Detected
- Unusual source IP for Windows Privileged Operations Detected
- Unusual source IP for a User to Logon from
- Unusual spike in Concurrent Active sessions by a User
- Unusual sudo Activity
- Unusual Time or Day for an RDP session
- Unusual User Privilege Enumeration via id
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Process Calling the Metadata service
- Unusual Windows Remote User
- Unusual Windows service
- Unusual Windows User Calling the Metadata service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Added as Owner for Azure Application
- User Added as Owner for Azure service Principal
- User Added to Privileged Group
- User Added to the Admin Group
- User Detected with suspicious Windows Process(es)
- User account exposed to Kerberoasting
- User or Group Creation/Modification
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Veeam Backup Library Loaded by Unusual Process
- Virtual Machine Fingerprinting
- Virtual Machine Fingerprinting via Grep
- Virtual Private Network Connection Attempt
- Volume shadow Copy Deleted or Resized via VssAdmin
- Volume shadow Copy Deletion via Powershell
- Volume shadow Copy Deletion via WMIC
- WDAC Policy File by an Unusual Process
- WMI Incoming Lateral Movement
- WMI WBEMTEsT Utility Execution
- WMIC Remote Command
- WPs Office Exploitation via DLL Hijack
- WRITEDAC Access on Active Directory Object
- Web Application suspicious Activity: POsT Request Declined
- Web Application suspicious Activity: Unauthorized Method
- Web Application suspicious Activity: sqlmap User Agent
- Web server spawned via Python
- Web shell Detection: script Process Child of Common Web Processes
- WebProxy settings Modification
- Webserver Access Logs Deleted
- Werfault ReflectDebugger Persistence
- Whoami Process Activity
- Windows Account or Group Discovery
- Windows CryptoAPI spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows Defender Disabled via Registry Modification
- Windows Defender Exclusions Added via Powershell
- Windows Event Logs Cleared
- Windows Firewall Disabled via Powershell
- Windows Installer with suspicious Properties
- Windows Network Enumeration
- Windows Registry File Creation in sMB share
- Windows script Executing Powershell
- Windows script Interpreter Executing Process via WMI
- Windows service Installed via an Unusual Client
- Windows subsystem for Linux Distribution Installed
- Windows subsystem for Linux Enabled via Dism Utility
- Windows system Information Discovery
- Windows system Network Connections Discovery
- Wireless Credential Dumping using Netsh Command
- Yum Package Manager Plugin File Creation
- Yum/DNF Plugin status Discovery
- Zoom Meeting with no Passcode
- rc.local/rc.common File Creation
- Downloadable rule updates
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud security
- Dashboards
- Explore
- Advanced Entity Analytics
- Investigation tools
- Elastic security APIs
- Elastic security fields and object schemas
- Troubleshooting
- Release notes
A newer version is available. Check out the latest documentation.