- Elastic Security: other versions:
- Elastic Security overview
- What’s new in 8.18
- Upgrade Elastic Security to 8.18.3
- Post-upgrade steps (optional)
- Get started with Elastic Security
- AI for Security
- Detections and alerts
- Detections requirements
- Using logsdb index mode with Elastic Security
- About detection rules
- create a detection rule
- Install and manage Elastic prebuilt rules
- Manage detection rules
- Monitor and troubleshoot rule executions
- Rule exceptions
- About building block rules
- MITRE ATT&cK® coverage
- Manage detection alerts
- Reduce notifications and alerts
- Query alert indices
- Tune detection rules
- Prebuilt rule reference
- A scheduled task was created
- APT Package Manager configuration File creation
- AWS Access Token Used from Multiple Addresses
- AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
- AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- AWS cLI command with custom Endpoint URL
- AWS cLI with Kali Linux Fingerprint Identified
- AWS cloudTrail Log created
- AWS cloudTrail Log Deleted
- AWS cloudTrail Log Evasion
- AWS cloudTrail Log Suspended
- AWS cloudTrail Log Updated
- AWS cloudWatch Alarm Deletion
- AWS cloudWatch Log Group Deletion
- AWS cloudWatch Log Stream Deletion
- AWS config Resource Deletion
- AWS configuration Recorder Stopped
- AWS credentials Searched For Inside A container
- AWS Deletion of RDS Instance or cluster
- AWS Discovery API calls via cLI from a Single Resource
- AWS DynamoDB Scan by Unusual User
- AWS DynamoDB Table Exported to S3
- AWS Ec2 Deprecated AMI Discovery
- AWS Ec2 EBS Snapshot Access Removed
- AWS Ec2 EBS Snapshot Shared or Made Public
- AWS Ec2 Encryption Disabled
- AWS Ec2 Full Network Packet capture Detected
- AWS Ec2 Instance connect SSH Public Key Uploaded
- AWS Ec2 Instance console Login via Assumed Role
- AWS Ec2 Instance Interaction with IAM Service
- AWS Ec2 Multi-Region DescribeInstances API calls
- AWS Ec2 Network Access control List creation
- AWS Ec2 Network Access control List Deletion
- AWS Ec2 Route Table Modified or Deleted
- AWS Ec2 Security Group configuration change
- AWS Ec2 Unauthorized Admin credential Fetch via Assumed Role
- AWS Ec2 User Data Retrieval for Ec2 Instance
- AWS Ec2 VM Export Failure
- AWS EFS File System or Mount Deleted
- AWS Elasticache Security Group created
- AWS Elasticache Security Group Modified or Deleted
- AWS EventBridge Rule Disabled or Deleted
- AWS GuardDuty Detector Deletion
- AWS IAM API calls via Temporary Session Tokens
- AWS IAM AdministratorAccess Policy Attached to Group
- AWS IAM AdministratorAccess Policy Attached to Role
- AWS IAM AdministratorAccess Policy Attached to User
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM compromisedKeyQuarantine Policy Attached to User
- AWS IAM create User via Assumed Role on Ec2 Instance
- AWS IAM customer-Managed Policy Attached to Role by Rare User
- AWS IAM Deactivation of MFA Device
- AWS IAM Group creation
- AWS IAM Group Deletion
- AWS IAM Login Profile Added for Root
- AWS IAM Login Profile Added to User
- AWS IAM Password Recovery Requested
- AWS IAM Roles Anywhere Profile creation
- AWS IAM Roles Anywhere Trust Anchor created with External cA
- AWS IAM SAML Provider Updated
- AWS IAM User Addition to Group
- AWS IAM User created Access Keys For Another User
- AWS IAM Virtual MFA Device Registration Attempt with Session Token
- AWS KMS customer Managed Key Disabled or Scheduled for Deletion
- AWS Lambda Function created or Updated
- AWS Lambda Function Policy Updated to Allow Public Invocation
- AWS Lambda Layer Added to Existing Function
- AWS Management console Brute Force of Root User Identity
- AWS Management console Root Login
- AWS RDS cluster creation
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance Restored
- AWS RDS DB Instance or cluster Deletion Protection Disabled
- AWS RDS DB Instance or cluster Password Modified
- AWS RDS DB Snapshot created
- AWS RDS DB Snapshot Shared with Another Account
- AWS RDS Instance creation
- AWS RDS Instance/cluster Stoppage
- AWS RDS Security Group creation
- AWS RDS Security Group Deletion
- AWS RDS Snapshot Deleted
- AWS RDS Snapshot Export
- AWS Redshift cluster creation
- AWS Root Login Without MFA
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- AWS Route Table created
- AWS Route53 private hosted zone associated with a VPc
- AWS S3 Bucket configuration Deletion
- AWS S3 Bucket Enumeration or Brute Force
- AWS S3 Bucket Expiration Lifecycle configuration Added
- AWS S3 Bucket Policy Added to Share with External Account
- AWS S3 Bucket Replicated to Another Account
- AWS S3 Bucket Server Access Logging Disabled
- AWS S3 Object Encryption Using External KMS Key
- AWS S3 Object Versioning Suspended
- AWS S3 Static Site JavaScript File Uploaded
- AWS S3 Unauthenticated Bucket Access by Rare Source
- AWS SNS Email Subscription by Rare User
- AWS SNS Topic created by Rare User
- AWS SQS Queue Purge
- AWS SSM command Document created by Rare User
- AWS SSM
SendcommandExecution by Rare User - AWS SSM
Sendcommandwith Run Shell command Parameters - AWS STS AssumeRole with New MFA Device
- AWS STS AssumeRoot by Rare User and Member Account
- AWS STS GetcallerIdentity API called for the First Time
- AWS STS GetSessionToken Abuse
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS STS Role chaining
- AWS Service Quotas Multi-Region
GetServiceQuotaRequests - AWS Signin Single Factor console Login with Federated User
- AWS Systems Manager SecureString Parameter Request with Decryption Flag
- AWS VPc Flow Logs Deletion
- AWS WAF Access control List Deletion
- AWS WAF Rule or Rule Group Deletion
- Abnormal Process ID or Lock File created
- Abnormally Large DNS Response
- Accepted Default Telnet Port connection
- Access control List Modification via setfacl
- Access to a Sensitive LDAP Attribute
- Accessing Outlook Data Files
- Account configured with Never-Expiring Password
- Account Discovery command via SYSTEM Account
- Account Password Reset Remotely
- Account or Group Discovery via Built-In Tools
- Active Directory Forced Authentication from Linux Host - SMB Named Pipes
- Active Directory Group Modification by SYSTEM
- AdFind command Activity
- Adding Hidden File Attribute via Attrib
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endgame
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent
- Alternate Data Stream creation/Execution at Volume Root Directory
- Anomalous Linux compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process creation
- Apple Script Execution followed by Network connection
- Apple Scripting Execution with Administrator Privileges
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Archive File with Unusual Extension
- At Job created or Modified
- At.exe command Lateral Movement
- Attempt to clear Kernel Ring Buffer
- Attempt to create Okta API Token
- Attempt to Deactivate an Okta Application
- Attempt to Deactivate an Okta Network Zone
- Attempt to Deactivate an Okta Policy
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Delete an Okta Application
- Attempt to Delete an Okta Network Zone
- Attempt to Delete an Okta Policy
- Attempt to Delete an Okta Policy Rule
- Attempt to Disable Auditd Service
- Attempt to Disable Gatekeeper
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Attempt to Enable the Root Account
- Attempt to Establish VScode Remote Tunnel
- Attempt to Install Kali Linux via WSL
- Attempt to Install Root certificate
- Attempt to Modify an Okta Application
- Attempt to Modify an Okta Network Zone
- Attempt to Modify an Okta Policy
- Attempt to Modify an Okta Policy Rule
- Attempt to Mount SMB Share via command Line
- Attempt to Reset MFA Factors for an Okta User Account
- Attempt to Revoke Okta API Token
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Attempted Bypass of Okta MFA
- Attempted Private Key Access
- Attempts to Brute Force an Okta User Account
- Authentication via Unusual PAM Grantor
- Authorization Plugin Modification
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in
- Azure Alert Suppression Rule created or Modified
- Azure Application credential Modification
- Azure Automation Account created
- Azure Automation Runbook created or Modified
- Azure Automation Runbook Deleted
- Azure Automation Webhook created
- Azure Blob container Access Level Modification
- Azure Blob Permissions Modification
- Azure command Execution on Virtual Machine
- Azure Diagnostic Settings Deletion
- Azure Entra ID Rare App ID for Principal Authentication
- Azure Entra MFA TOTP Brute Force Attempts
- Azure Event Hub Authorization Rule created or Updated
- Azure Event Hub Deletion
- Azure External Guest User Invitation
- Azure Firewall Policy Deletion
- Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
- Azure Full Network Packet capture Detected
- Azure Global Administrator Role Addition to PIM User
- Azure Key Vault Modified
- Azure Kubernetes Events Deleted
- Azure Kubernetes Pods Deleted
- Azure Kubernetes Rolebindings created
- Azure Network Watcher Deletion
- Azure OpenAI Insecure Output Handling
- Azure Privilege Identity Management Role Modified
- Azure Resource Group Deletion
- Azure Storage Account Key Regenerated
- BPF filter applied using Tc
- Backup Deletion with Wbadmin
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Decoded Payload Piped to Interpreter
- Bash Shell Profile Modification
- Behavior - Detected - Elastic Defend
- Behavior - Prevented - Elastic Defend
- Binary content copy via cmd.exe
- Binary Executed from Shared Memory Directory
- Bitsadmin Activity
- BloodHound Suite User-Agents Detected
- Boot File copy
- Browser Extension Install
- Bypass UAc via Event Viewer
- cAP_SYS_ADMIN Assigned to Binary
- chkconfig Service Add
- clearing Windows console History
- clearing Windows Event Logs
- cobalt Strike command and control Beacon
- code Signing Policy Modification Through Built-in tools
- code Signing Policy Modification Through Registry
- command Execution via ForFiles
- command Execution via SolarWinds Process
- command Prompt Network connection
- command Shell Activity Started via RunDLL32
- command and Scripting Interpreter via Windows Scripts
- component Object Model Hijacking
- compression DLL Loaded by Unusual Process
- conhost Spawned By Suspicious Parent Process
- connection to commonly Abused Free SSL certificate Providers
- connection to commonly Abused Web Services
- connection to External Network via Telnet
- connection to Internal Network via Telnet
- container Management Utility Run Inside A container
- control Panel Process with Unusual Arguments
- creation of Hidden Files and Directories via commandLine
- creation of Hidden Launch Agent or Daemon
- creation of Hidden Login Item via Apple Script
- creation of Hidden Shared Object File
- creation of Kernel Module
- creation of Settingcontent-ms Files
- creation of a DNS-Named Record
- creation of a Hidden Local User Account
- creation or Modification of Domain Backup DPAPI private key
- creation or Modification of Pluggable Authentication Module or configuration
- creation or Modification of Root certificate
- creation or Modification of a new GPO Scheduled Task or Service
- credential Acquisition via Registry Hive Dumping
- credential Dumping - Detected - Elastic Endgame
- credential Dumping - Prevented - Elastic Endgame
- credential Manipulation - Detected - Elastic Endgame
- credential Manipulation - Prevented - Elastic Endgame
- cron Job created or Modified
- cupsd or Foomatic-rip Shell Execution
- curl SOcKS Proxy Activity from Unusual Parent
- cyberArk Privileged Access Security Error
- cyberArk Privileged Access Security Recommended Monitor
- D-Bus Service created
- DNF Package Manager Plugin File creation
- DNS Global Query Block List Modified or Disabled
- DNS Tunneling
- DNS-over-HTTPS Enabled via Registry
- DPKG Package Installed by Unusual Parent Process
- Decline in host-based traffic
- Default cobalt Strike Team Server certificate
- Delayed Execution via Ping
- Delegated Managed Service Account Modification by an Unusual User
- Delete Volume USN Journal with Fsutil
- Deprecated - AWS Ec2 Snapshot Activity
- Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- Deprecated - Azure Virtual Network Device Modified or Deleted
- Deprecated - LaunchDaemon creation or Modification and Immediate Loading
- Deprecated - Suspicious File creation in /etc for Persistence
- Directory creation in /bin directory
- Disable Windows Event and Security Logs Using Built-in Tools
- Disable Windows Firewall Rules via Netsh
- Disabling Lsa Protection via Registry Modification
- Disabling User Account control via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell
- Discovery of Domain Groups
- Discovery of Internet capabilities via Built-in Tools
- Docker Escape via Nsenter
- Docker Release File creation
- Docker Socket Enumeration
- Domain Added to Google Workspace Trusted Domains
- Downloaded Shortcut Files
- Downloaded URL Files
- Dracut Module creation
- Dumping Account Hashes via Built-In commands
- Dumping of Keychain content via Security command
- Dynamic IEX Reconstruction via Method String Access
- Dynamic Linker (ld.so) creation
- Dynamic Linker copy
- Dynamic Linker creation or Modification
- Ec2 AMI Shared with Another Account
- ESXI Discovery via Find
- ESXI Discovery via Grep
- ESXI Timestomping using Touch command
- EggShell Backdoor Execution
- Egress connection from Entrypoint in container
- Elastic Agent Service Terminated
- Emond Rules creation or Modification
- Enable Host Network Discovery via Netsh
- Encoded Executable Stored in the Registry
- Encrypting Files with WinRar or 7z
- Endpoint Security (Elastic Defend)
- Entra ID Device code Auth with Broker client
- Entra ID Protection - Risk Detection - Sign-in Risk
- Entra ID Protection - Risk Detection - User Risk
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE
- Enumeration command Spawned via WMIPrvSE
- Enumeration of Administrator Accounts
- Enumeration of Kernel Modules
- Enumeration of Kernel Modules via Proc
- Enumeration of Privileged Local Groups Membership
- Enumeration of Users or Groups via Built-in commands
- Excessive AWS S3 Object Encryption with SSE-c
- Exchange Mailbox Export via PowerShell
- Executable Bit Set for Potential Persistence Script
- Executable File creation with Multiple Extensions
- Executable File with Unusual Extension
- Executable Masquerading as Kernel Process
- Execution from Unusual Directory - command Line
- Execution from a Removable Media with Network connection
- Execution of cOM object via Xwizard
- Execution of File Written or Modified by Microsoft Office
- Execution of File Written or Modified by PDF Reader
- Execution of Persistent Suspicious Program
- Execution of a Downloaded Windows Script
- Execution of an Unsigned Service
- Execution via Electron child Process Node.js Module
- Execution via MS VisualStudio Pre/Post Build Events
- Execution via MSSQL xp_cmdshell Stored Procedure
- Execution via Microsoft DotNet clickOnce Host
- Execution via TSclient Mountpoint
- Execution via Windows command Debugging Utility
- Execution via Windows Subsystem for Linux
- Execution via local SxS Shared Module
- Execution with Explicit credentials via Scripting
- Expired or Revoked Driver Loaded
- Exploit - Detected - Elastic Endgame
- Exploit - Prevented - Elastic Endgame
- Exporting Exchange Mailbox via PowerShell
- External Alerts
- External IP Lookup from Non-Browser Process
- External User Added to Google Workspace Group
- File compressed or Archived into common Format by Unsigned Process
- File creation Time changed
- File creation by cups or Foomatic-rip child
- File creation in /var/log via Suspicious Process
- File creation, Execution and Self-Deletion in Suspicious Directory
- File Deletion via Shred
- File Made Executable via chmod Inside A container
- File Permission Modification in Writable Directory
- File Staged in Root Folder of Recycle Bin
- File System Debugger Launched Inside a container
- File Transfer or Listener Established via Netcat
- File and Directory Permissions Modification
- File made Immutable by chattr
- File or Directory Deletion command
- File with Right-to-Left Override character (RTLO) created/Executed
- File with Suspicious Extension Downloaded
- Finder Sync Plugin Registered and Enabled
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of Entra ID Auth via Devicecode Protocol
- First Occurrence of GitHub Repo Interaction From a New IP
- First Occurrence of GitHub User Interaction with Private Repo
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub User
- First Occurrence of Okta User Session Started via Proxy
- First Occurrence of Personal Access Token (PAT) Use For a GitHub User
- First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
- First Occurrence of STS GetFederationToken Request by User
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Occurrence of User-Agent For a GitHub User
- First Time AWS cloudformation Stack creation by User
- First Time Seen AWS Secret Value Accessed in Secrets Manager
- First Time Seen commonly Abused Remote Access Tool Execution
- First Time Seen Driver Loaded
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- First Time Seen Newcredentials Logon Process
- First Time Seen Removable Device
- FirstTime Seen Account Performing DcSync
- Forwarded Google Workspace Security Alert
- Full User-Mode Dumps Enabled System-Wide
- GcP Firewall Rule creation
- GcP Firewall Rule Deletion
- GcP Firewall Rule Modification
- GcP IAM custom Role creation
- GcP IAM Role Deletion
- GcP IAM Service Account Key Deletion
- GcP Logging Bucket Deletion
- GcP Logging Sink Deletion
- GcP Logging Sink Modification
- GcP Pub/Sub Subscription creation
- GcP Pub/Sub Subscription Deletion
- GcP Pub/Sub Topic creation
- GcP Pub/Sub Topic Deletion
- GcP Service Account creation
- GcP Service Account Deletion
- GcP Service Account Disabled
- GcP Service Account Key creation
- GcP Storage Bucket configuration Modification
- GcP Storage Bucket Deletion
- GcP Storage Bucket Permissions Modification
- GcP Virtual Private cloud Network Deletion
- GcP Virtual Private cloud Route creation
- GcP Virtual Private cloud Route Deletion
- GRUB configuration File creation
- GRUB configuration Generation through Built-in Utilities
- Git Hook child Process
- Git Hook command Execution
- Git Hook created or Modified
- Git Hook Egress Network connection
- Git Repository or File Download to Suspicious Directory
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub PAT Access Revoked
- GitHub Protected Branch Settings changed
- GitHub Repo created
- GitHub Repository Deleted
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub User Blocked From Organization
- Google Drive Ownership Transferred via Google Workspace
- Google Workspace 2SV Policy Disabled
- Google Workspace API Access Granted via Domain-Wide Delegation
- Google Workspace Admin Role Assigned to a User
- Google Workspace Admin Role Deletion
- Google Workspace Bitlocker Setting Disabled
- Google Workspace custom Admin Role created
- Google Workspace custom Gmail Route created or Modified
- Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
- Google Workspace MFA Enforcement Disabled
- Google Workspace Object copied to External Drive with App consent
- Google Workspace Password Policy Modified
- Google Workspace Restrictions for Marketplace Modified to Allow Any App
- Google Workspace Role Modified
- Google Workspace Suspended User Account Renewed
- Google Workspace User Organizational Unit changed
- Group Policy Abuse for Privilege Addition
- Group Policy Discovery via Microsoft GPResult Utility
- Halfbaked command and control Beacon
- Hidden Directory creation via Unusual Parent
- Hidden Files and Directories via Hidden Flag
- High command Line Entropy Detected for Privileged commands
- High Mean of Process Arguments in an RDP Session
- High Mean of RDP Session Duration
- High Number of cloned GitHub Repos From PAT
- High Number of Egress Network connections from Unusual Executable
- High Number of Okta Device Token cookies Generated for Authentication
- High Number of Okta User Password Reset or Unlock Attempts
- High Number of Process Terminations
- High Number of Process and/or Service Terminations
- High Variance in RDP Session Duration
- Host Detected with Suspicious Windows Process(es)
- Host Files System changes via Windows Subsystem for Linux
- Hosts File Modified
- Hping Process Activity
- IIS HTTP Logging Disabled
- IPSEc NAT Traversal Port Activity
- IPv4/IPv6 Forwarding Activity
- Image File Execution Options Injection
- Image Loaded with Invalid Signature
- ImageLoad via Windows Update Auto Update client
- Inbound connection to an Unsecure Elasticsearch Node
- Incoming DcOM Lateral Movement via MSHTA
- Incoming DcOM Lateral Movement with MMc
- Incoming DcOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- Indirect command Execution via Forfiles/Pcalua
- Ingress Transfer via Windows BITS
- Initramfs Extraction via cPIO
- Initramfs Unpacking via unmkinitramfs
- Insecure AWS Ec2 VPc Security Group Ingress Rule Added
- InstallUtil Activity
- InstallUtil Process Making Network connections
- Installation of custom Shim Databases
- Installation of Security Support Provider
- Interactive Logon by an Unusual Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- KRBTGT Delegation Backdoor
- Kerberos cached credentials Dumping
- Kerberos Pre-authentication Disabled for User
- Kerberos Traffic from Unusual Process
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load via insmod
- Kernel Module Removal
- Kernel Object File creation
- Kernel Seeking Activity
- Kernel Unpacking Activity
- Keychain commandLine Interaction via Unsigned or Untrusted Process
- Keychain Password Retrieval via command Line
- Kill command Execution
- Kirbi File creation
- Kubeconfig File creation or Modification
- Kubeconfig File Discovery
- Kubectl Permission Discovery
- Kubernetes Anonymous Request Authorized
- Kubernetes container created with Excessive Linux capabilities
- Kubernetes Denied Service Account Request
- Kubernetes Exposed Service created With Type NodePort
- Kubernetes Pod created With HostIPc
- Kubernetes Pod created With HostNetwork
- Kubernetes Pod created With HostPID
- Kubernetes Pod created with a Sensitive hostPath Volume
- Kubernetes Privileged Pod created
- Kubernetes Service Account Secret Access
- Kubernetes Suspicious Assignment of controller Service Account
- Kubernetes Suspicious Self-Subject Review
- Kubernetes User Exec into Pod
- LSASS Memory Dump creation
- LSASS Memory Dump Handle Access
- LSASS Process Access via Windows API
- Lateral Movement via Startup Folder
- Launch Service creation and Immediate Loading
- Linux clipboard Activity Detected
- Linux Group creation
- Linux Process Hooking via GDB
- Linux Restricted Shell Breakout via Linux Binary(s)
- Linux SSH X11 Forwarding
- Linux System Information Discovery
- Linux System Information Discovery via Getconf
- Linux Telegram API Request
- Linux User Account creation
- Linux User Account credential Modification
- Linux User Added to Privileged Group
- Linux init (PID 1) Secret Dump via GDB
- Loadable Kernel Module configuration File creation
- Local Account TokenFilter Policy Disabled
- Local Scheduled Task creation
- Login via Unusual System User
- M365 OneDrive Excessive File Downloads with OAuth Token
- MFA Deactivation with no Re-Activation for Okta User Account
- MFA Disabled for Google Workspace Organization
- MS Office Macro Security Registry Modifications
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score
- Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
- Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
- Malicious File - Detected - Elastic Defend
- Malicious File - Prevented - Elastic Defend
- Malware - Detected - Elastic Endgame
- Malware - Prevented - Elastic Endgame
- Manual Dracut Execution
- Manual Memory Dumping via Proc Filesystem
- Manual Mount Discovery via /etc/exports or /etc/fstab
- Masquerading Space After Filename
- Member Removed From GitHub Organization
- Memory Dump File with Unusual Extension
- Memory Swap Modification
- Memory Threat - Detected - Elastic Defend
- Memory Threat - Prevented- Elastic Defend
- Message-of-the-Day (MOTD) File creation
- Microsoft 365 Brute Force via Entra ID Sign-Ins
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DKIM Signing configuration Disabled
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Attachment Rule Disabled
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Exchange Transport Rule creation
- Microsoft 365 Exchange Transport Rule Modification
- Microsoft 365 Global Administrator Role Assigned
- Microsoft 365 Illicit consent Grant via Registered Application
- Microsoft 365 Inbox Forwarding Rule created
- Microsoft 365 OAuth Phishing via Visual Studio code client
- Microsoft 365 OAuth Redirect to Device Registration for User Principal
- Microsoft 365 Portal Login from Rare Location
- Microsoft 365 Portal Logins from Impossible Travel Locations
- Microsoft 365 Potential ransomware activity
- Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
- Microsoft 365 Teams custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Microsoft 365 Unusual Volume of File Deletion
- Microsoft 365 User Restricted from Sending Email
- Microsoft Azure or Mail Sign-in from a Suspicious Source
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft Entra ID concurrent Sign-Ins with Suspicious Properties
- Microsoft Entra ID conditional Access Policy (cAP) Modified
- Microsoft Entra ID Elevated Access to User Access Administrator
- Microsoft Entra ID Exccessive Account Lockouts Detected
- Microsoft Entra ID High Risk Sign-in
- Microsoft Entra ID Illicit consent Grant via Registered Application
- Microsoft Entra ID OAuth Phishing via Visual Studio code client
- Microsoft Entra ID Protection - Risk Detections
- Microsoft Entra ID Rare Authentication Requirement for Principal User
- Microsoft Entra ID Service Principal created
- Microsoft Entra ID Service Principal credentials Added by Rare User
- Microsoft Entra ID Session Reuse with Suspicious Graph Access
- Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
- Microsoft Entra ID Sign-In Brute Force Activity
- Microsoft Entra ID User Reported Suspicious Activity
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Transport Agent Install Script
- Microsoft Exchange Worker Spawning Suspicious Processes
- Microsoft Graph First Occurrence of client Request
- Microsoft IIS connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Microsoft Management console File from Unusual Path
- Microsoft Windows Defender Tampering
- Mimikatz Memssp Log File Detected
- Modification of AmsiEnable Registry Key
- Modification of Boot configuration
- Modification of Dynamic Linker Preload Shared Object
- Modification of Environment Variable via Unsigned or Untrusted Parent
- Modification of OpenSSH Binaries
- Modification of Safari Settings via Defaults command
- Modification of Standard Authentication Module or configuration
- Modification of WDigest Security Provider
- Modification of the msPKIAccountcredentials
- Modification or Removal of an Okta Application Sign-On Policy
- Mofcomp Activity
- Mount Launched Inside a container
- Mounting Hidden or WebDav Remote Shares
- MsBuild Making Network connections
- Mshta Making Network connections
- MsiExec Service child Process With Network connection
- Multi-Factor Authentication Disabled for an Azure User
- Multiple Alerts Involving a User
- Multiple Alerts in Different ATT&cK Tactics on a Single Host
- Multiple Device Token Hashes for Single Okta Session
- Multiple Logon Failure Followed by Logon Success
- Multiple Logon Failure from the same Source Address
- Multiple Microsoft 365 User Account Lockouts in Short Time Window
- Multiple Microsoft Entra ID Protection Alerts by User Principal
- Multiple Okta Sessions Detected for a Single User
- Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- Multiple Okta User Authentication Events with client Address
- Multiple Okta User Authentication Events with Same Device Token Hash
- Multiple Vault Web credentials Read
- My First Rule
- NTDS Dump via Wbadmin
- NTDS or SAM Database File copied
- Namespace Manipulation Using Unshare
- Netcat Listener Established via rlwrap
- Netsh Helper DLL
- Network Activity Detected via Kworker
- Network Activity Detected via cat
- Network connection Initiated by SSHD child Process
- Network connection by cups or Foomatic-rip child
- Network connection from Binary with RWX Memory Region
- Network connection via certutil
- Network connection via compiled HTML File
- Network connection via MsXsl
- Network connection via Recently compiled Executable
- Network connection via Registration Utility
- Network connection via Signed Binary
- Network connection via Sudo Binary
- Network connections Initiated Through XDG Autostart Entry
- Network Logon Provider Registry Modification
- Network Traffic capture via cAP_NET_RAW
- Network Traffic to Rare Destination country
- Network-Level Authentication (NLA) Disabled
- NetworkManager Dispatcher Script creation
- New ActiveSyncAllowedDeviceID Added via PowerShell
- New GitHub App Installed
- New GitHub Owner Added
- New Okta Authentication Behavior Detected
- New Okta Identity Provider (IdP) Added by Admin
- New User Added To GitHub Organization
- New or Modified Federation Domain
- Nping Process Activity
- NullSessionPipe Registry Modification
- O365 Email Reported by User as Malware or Phish
- O365 Excessive Single Sign-On Logon Errors
- O365 Mailbox Audit Logging Bypass
- Office Test Registry Persistence
- Okta Brute Force or Password Spraying Attack
- Okta FastPass Phishing Detection
- Okta Sign-In Events via Third-Party IdP
- Okta ThreatInsight Threat Suspected Promotion
- Okta User Session Impersonation
- Okta User Sessions Started from Different Geolocations
- OneDrive Malware File Upload
- OpenSSL Password Hash Generation
- Openssl client or Server Activity
- Outbound Scheduled Task Activity via PowerShell
- Outlook Home Page Registry Modification
- Parent Process Detected with Suspicious Windows Process(es)
- Parent Process PID Spoofing
- Peripheral Device Discovery
- Permission Theft - Detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame
- Persistence via BITS Job Notify cmdline
- Persistence via DirectoryService Plugin Modification
- Persistence via Docker Shortcut Modification
- Persistence via Folder Action Script
- Persistence via Hidden Run Key Detected
- Persistence via KDE AutoStart Script or Desktop File Modification
- Persistence via Login or Logout Hook
- Persistence via Microsoft Office AddIns
- Persistence via Microsoft Outlook VBA
- Persistence via PowerShell profile
- Persistence via Scheduled Job creation
- Persistence via Telemetrycontroller Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Event Subscription
- Persistence via WMI Standard Registry Provider
- Persistence via a Windows Installer
- Persistent Scripts in the Startup Directory
- Pluggable Authentication Module (PAM) creation in Unusual Directory
- Pluggable Authentication Module (PAM) Source Download
- Pluggable Authentication Module (PAM) Version Discovery
- Polkit Policy creation
- Polkit Version Discovery
- Port Forwarding Rule Addition
- Possible FIN7 DGA command and control Behavior
- Possible Okta DoS Attack
- Potential ADIDNS Poisoning via Wildcard Record creation
- Potential AWS S3 Bucket Ransomware Note Uploaded
- Potential Abuse of Resources by High Token count and Large Response Sizes
- Potential Active Directory Replication Account Backdoor
- Potential Admin Group Account Addition
- Potential Antimalware Scan Interface Bypass via PowerShell
- Potential Application Shimming via Sdbinst
- Potential Azure OpenAI Model Theft
- Potential Backdoor Execution Through PAM_EXEc
- Potential Buffer Overflow Attack Detected
- Potential cVE-2025-33053 Exploitation
- Potential chroot container Escape via Mount
- Potential code Execution via Postgresql
- Potential command and control via Internet Explorer
- Potential cookies Theft via Browser Debugging
- Potential credential Access via DcSync
- Potential credential Access via DuplicateHandle in LSASS
- Potential credential Access via LSASS Memory Dump
- Potential credential Access via Memory Dump File creation
- Potential credential Access via Renamed cOM+ Services DLL
- Potential credential Access via Trusted Developer Utility
- Potential credential Access via Windows Utilities
- Potential DGA Activity
- Potential DLL Side-Loading via Microsoft Antimalware Service Executable
- Potential DLL Side-Loading via Trusted Microsoft Programs
- Potential DNS Tunneling via NsLookup
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual ISO code
- Potential Data Exfiltration Activity to an Unusual Region
- Potential Data Exfiltration Through curl
- Potential Data Splitting Detected
- Potential Defense Evasion via cMSTP.exe
- Potential Defense Evasion via Doas
- Potential Defense Evasion via PRoot
- Potential Denial of Azure OpenAI ML Service
- Potential Disabling of AppArmor
- Potential Disabling of SELinux
- Potential Dynamic IEX Reconstruction via Environment Variables
- Potential Enumeration via Active Directory Web Service
- Potential Escalation via Vulnerable MSI Repair
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential Execution of rc.local Script
- Potential Execution via XZBackdoor
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential External Linux SSH Brute Force Detected
- Potential File Download via a Headless Browser
- Potential File Transfer via certreq
- Potential File Transfer via curl for Windows
- Potential Foxmail Exploitation
- Potential Hex Payload Execution via command-Line
- Potential Hex Payload Execution via common Utility
- Potential Hidden Local User Account creation
- Potential Hidden Process via Mount Hidepid
- Potential Internal Linux SSH Brute Force Detected
- Potential Invoke-Mimikatz PowerShell Script
- Potential JAVA/JNDI Exploitation Attempt
- Potential Kerberos Attack via Bifrost
- Potential Kerberos coercion via DNS-Based SPN Spoofing
- Potential Kerberos SPN Spoofing via Suspicious DNS Query
- Potential LSA Authentication Package Abuse
- Potential LSASS clone creation via PsscaptureSnapShot
- Potential LSASS Memory Dump via PsscaptureSnapShot
- Potential Lateral Tool Transfer via SMB Share
- Potential Linux Backdoor User Account creation
- Potential Linux credential Dumping via Proc Filesystem
- Potential Linux credential Dumping via Unshadow
- Potential Linux Hack Tool Launched
- Potential Linux Local Account Brute Force Detected
- Potential Linux Ransomware Note creation Detected
- Potential Linux Tunneling and/or Port Forwarding
- Potential Linux Tunneling and/or Port Forwarding via SSH Option
- Potential Local NTLM Relay via HTTP
- Potential Machine Account Relay Attack via SMB
- Potential Malicious PowerShell Based on Alert correlation
- Potential Malware-Driven SSH Brute Force Attempt
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as communication Apps
- Potential Masquerading as System32 DLL
- Potential Masquerading as System32 Executable
- Potential Masquerading as VLc DLL
- Potential Memory Seeking Activity
- Potential Meterpreter Reverse Shell
- Potential Microsoft 365 User Account Brute Force
- Potential Microsoft Office Sandbox Evasion
- Potential Modification of Accessibility Binaries
- Potential NetNTLMv1 Downgrade Attack
- Potential Network Scan Detected
- Potential Network Scan Executed From Host
- Potential Network Share Discovery
- Potential Network Sweep Detected
- Potential Non-Standard Port HTTP/HTTPS connection
- Potential Non-Standard Port SSH connection
- Potential Okta MFA Bombing via Push Notifications
- Potential OpenSSH Backdoor Logging Activity
- Potential Outgoing RDP connection by Unusual Process
- Potential Pass-the-Hash (PtH) Attempt
- Potential Persistence via Atom Init Script Modification
- Potential Persistence via File Modification
- Potential Persistence via Login Hook
- Potential Persistence via Periodic Tasks
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential Port Scanning Activity from compromised Host
- Potential PowerShell HackTool Script by Author
- Potential PowerShell HackTool Script by Function Names
- Potential PowerShell Obfuscated Script
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Potential PowerShell Obfuscation via character Array Reconstruction
- Potential PowerShell Obfuscation via concatenated Dynamic command Invocation
- Potential PowerShell Obfuscation via High Numeric character Proportion
- Potential PowerShell Obfuscation via High Special character Proportion
- Potential PowerShell Obfuscation via Invalid Escape Sequences
- Potential PowerShell Obfuscation via Reverse Keywords
- Potential PowerShell Obfuscation via Special character Overuse
- Potential PowerShell Obfuscation via String concatenation
- Potential PowerShell Obfuscation via String Reordering
- Potential PowerShell Pass-the-Hash/Relay Script
- Potential Privacy control Bypass via Localhost Secure copy
- Potential Privacy control Bypass via TccDB Modification
- Potential Privilege Escalation through Writable Docker Socket
- Potential Privilege Escalation via cVE-2023-4911
- Potential Privilege Escalation via container Misconfiguration
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privilege Escalation via Linux DAc permissions
- Potential Privilege Escalation via OverlayFS
- Potential Privilege Escalation via PKEXEc
- Potential Privilege Escalation via Python cap_setuid
- Potential Privilege Escalation via Recently compiled Executable
- Potential Privilege Escalation via Service ImagePath Modification
- Potential Privilege Escalation via Sudoers File Modification
- Potential Privilege Escalation via UID INT_MAX Bug Detected
- Potential Privileged Escalation via SamAccountName Spoofing
- Potential Process Injection from Malicious Document
- Potential Process Injection via PowerShell
- Potential Process Name Stomping with Prctl
- Potential Protocol Tunneling via chisel client
- Potential Protocol Tunneling via chisel Server
- Potential Protocol Tunneling via EarthWorm
- Potential Pspy Process Monitoring Detected
- Potential Ransomware Behavior - High count of Readme files by System
- Potential Ransomware Note File Dropped via SMB
- Potential Relay Attack against a Domain controller
- Potential Remote code Execution via Web Server
- Potential Remote credential Access via Registry
- Potential Remote Desktop Shadowing Activity
- Potential Remote Desktop Tunneling Detected
- Potential Remote File Execution via MSIEXEc
- Potential RemoteMonologue Attack
- Potential Reverse Shell
- Potential Reverse Shell Activity via Terminal
- Potential Reverse Shell via Background Process
- Potential Reverse Shell via child
- Potential Reverse Shell via Java
- Potential Reverse Shell via Suspicious Binary
- Potential Reverse Shell via Suspicious child Process
- Potential Reverse Shell via UDP
- Potential SSH-IT SSH Worm Downloaded
- Potential SYN-Based Port Scan Detected
- Potential Secure File Deletion via SDelete Utility
- Potential Shadow credentials added to AD Object
- Potential Shadow File Read via command Line Utilities
- Potential SharpRDP Behavior
- Potential Shell via Wildcard Injection Detected
- Potential Subnet Scanning Activity from compromised Host
- Potential Successful Linux FTP Brute Force Attack Detected
- Potential Successful Linux RDP Brute Force Attack Detected
- Potential Successful SSH Brute Force Attack
- Potential Sudo Hijacking
- Potential Sudo Privilege Escalation via cVE-2019-14287
- Potential Sudo Token Manipulation via Process Injection
- Potential Suspicious DebugFS Root Device Access
- Potential Suspicious File Edit
- Potential Unauthorized Access via Wildcard Injection Detected
- Potential Upgrade of Non-interactive Shell
- Potential Veeam credential Access command
- Potential WPAD Spoofing via DNS Record creation
- Potential WSUS Abuse for Lateral Movement
- Potential Widespread Malware Infection Across Multiple Hosts
- Potential Windows Error Manager Masquerading
- Potential Windows Session Hijacking via ccmExec
- Potential curl cVE-2023-38545 Exploitation
- Potential macOS SSH Brute Force Detected
- Potential privilege escalation via cVE-2022-38028
- Potentially Successful MFA Bombing via Push Notifications
- Potentially Suspicious Process Started via tmux or screen
- PowerShell Invoke-Ninjacopy script
- PowerShell Kerberos Ticket Dump
- PowerShell Kerberos Ticket Request
- PowerShell Keylogging Script
- PowerShell Mailbox collection Script
- PowerShell MiniDump Script
- PowerShell Obfuscation via Negative Index String Reversal
- PowerShell PSReflect Script
- PowerShell Script Block Logging Disabled
- PowerShell Script with Archive compression capabilities
- PowerShell Script with Discovery capabilities
- PowerShell Script with Encryption/Decryption capabilities
- PowerShell Script with Log clear capabilities
- PowerShell Script with Password Policy Discovery capabilities
- PowerShell Script with Remote Execution capabilities via WinRM
- PowerShell Script with Token Impersonation capabilities
- PowerShell Script with Veeam credential Access capabilities
- PowerShell Script with Webcam Video capture capabilities
- PowerShell Script with Windows Defender Tampering capabilities
- PowerShell Share Enumeration Script
- PowerShell Suspicious Discovery Related Windows API Functions
- PowerShell Suspicious Payload Encoded and compressed
- PowerShell Suspicious Script with Audio capture capabilities
- PowerShell Suspicious Script with clipboard Retrieval capabilities
- PowerShell Suspicious Script with Screenshot capabilities
- Printer User (lp) Shell Execution
- Private Key Searching Activity
- Privilege Escalation via cAP_cHOWN/cAP_FOWNER capabilities
- Privilege Escalation via cAP_SETUID/SETGID capabilities
- Privilege Escalation via GDB cAP_SYS_PTRAcE
- Privilege Escalation via Named Pipe Impersonation
- Privilege Escalation via Rogue Named Pipe Impersonation
- Privilege Escalation via Root crontab File Modification
- Privilege Escalation via SUID/SGID
- Privilege Escalation via Windir Environment Variable
- Privileged Account Brute Force
- Privileged Docker container creation
- Privileges Elevation via Parent Process PID Spoofing
- Process Activity via compiled HTML File
- Process Backgrounded by Unusual Parent
- Process capability Enumeration
- Process capability Set via setcap Utility
- Process created with a Duplicated Token
- Process created with an Elevated Token
- Process creation via Secondary Logon
- Process Discovery Using Built-in Tools
- Process Discovery via Built-In Applications
- Process Execution from an Unusual Directory
- Process Injection - Detected - Elastic Endgame
- Process Injection - Prevented - Elastic Endgame
- Process Injection by the Microsoft Build Engine
- Process Spawned from Message-of-the-Day (MOTD)
- Process Started from Process ID (PID) File
- Process Started with Executable Stack
- Process Termination followed by Deletion
- Processes with Trailing Spaces
- Program Files Directory Masquerading
- Prompt for credentials with Osascript
- Proxychains Activity
- PsExec Network connection
- Python Path File (pth) creation
- Python Site or User customize File creation
- Quarantine Attrib Removed by Unsigned or Untrusted Process
- Query Registry using Built-in Tools
- RDP (Remote Desktop Protocol) from the Internet
- RDP Enabled via Registry
- ROT Encoded Python Script Execution
- RPc (Remote Procedure call) from the Internet
- RPc (Remote Procedure call) to the Internet
- RPM Package Installed by Unusual Parent Process
- Ransomware - Detected - Elastic Defend
- Ransomware - Detected - Elastic Endgame
- Ransomware - Prevented - Elastic Defend
- Ransomware - Prevented - Elastic Endgame
- Rapid Secret Retrieval Attempts from AWS SecretsManager
- Rapid7 Threat command cVEs correlation
- Rare AWS Error code
- Rare connection to WebDAV Target
- Rare SMB connection to the Internet
- Rare User Logon
- Registry Persistence via Appcert DLL
- Registry Persistence via AppInit DLL
- Remote computer Account DnsHostName Update
- Remote Desktop Enabled in Windows Firewall by Netsh
- Remote Desktop File Opened from Suspicious Path
- Remote Execution via File Shares
- Remote File copy to a Hidden Share
- Remote File copy via TeamViewer
- Remote File creation in World Writeable Directory
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpcmdRun
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Remote SSH Login Enabled via systemsetup command
- Remote Scheduled Task creation
- Remote Scheduled Task creation via RPc
- Remote System Discovery commands
- Remote Windows Service Installed
- Remote XSL Script Execution via cOM
- Remotely Started Services via RPc
- Renamed AutoIt Scripts Interpreter
- Renamed Utility Executed with Short Program Name
- Root certificate Installation
- Root Network connection via GDB cAP_SYS_PTRAcE
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
- Route53 Resolver Query Log configuration Deleted
- SELinux configuration creation or Renaming
- SIP Provider Modification
- SMB (Windows File Sharing) Activity to the Internet
- SMB connections via LOLBin or Untrusted Process
- SMTP on Port 26/TcP
- SNS Topic Message Publish by Rare User
- SSH Authorized Keys File Deletion
- SSH Authorized Keys File Modification
- SSH Key Generated via ssh-keygen
- SSH Process Launched From Inside A container
- SSL certificate Deletion
- SSM Session Started to Ec2 Instance
- SUID/SGID Bit Set
- SUID/SGUID Enumeration Detected
- SUNBURST command and control Activity
- Scheduled Task created by a Windows Script
- Scheduled Task Execution at Scale via GPO
- Scheduled Tasks AT command Enabled
- Screenconnect Server Spawning Suspicious Processes
- Screensaver Plist File Modified by Unexpected Process
- Script Execution via Microsoft HTML Application
- SeDebugPrivilege Enabled by a Suspicious Process
- Searching for Saved credentials via Vaultcmd
- Security File Access via common Utilities
- Security Software Discovery using WMIc
- Security Software Discovery via Grep
- Segfault Detected
- Sensitive Audit Policy Sub-category Disabled
- Sensitive Files compression
- Sensitive Files compression Inside A container
- Sensitive Keys Or Passwords Searched For Inside A container
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- Sensitive Registry Hive Access via RegBack
- Service command Lateral Movement
- Service control Spawned via Script Interpreter
- Service creation via Local Kerberos Authentication
- Service DAcL Modification via sc.exe
- Service Disabled via Registry Modification
- Service Path Modification
- Service Path Modification via sc.exe
- Setcap setuid/setgid capability Set
- Shadow File Modification by Unusual Process
- SharePoint Malware File Upload
- Shared Object created or changed by Previously Unknown Process
- Shell configuration creation or Modification
- Shell Execution via Apple Scripting
- Shortcut File Written or Modified on Startup Folder
- Signed Proxy Execution via MS Work Folders
- Simple HTTP Web Server connection
- Simple HTTP Web Server creation
- SoftwareUpdate Preferences Modification
- SolarWinds Process Disabling Services via Registry
- Spike in AWS Error Messages
- Spike in Bytes Sent to an External Device
- Spike in Bytes Sent to an External Device via Airdrop
- Spike in Failed Logon Events
- Spike in Firewall Denies
- Spike in Group Application Assignment change Events
- Spike in Group Lifecycle change Events
- Spike in Group Management Events
- Spike in Group Membership Events
- Spike in Group Privilege change Events
- Spike in Logon Events
- Spike in Network Traffic
- Spike in Network Traffic To a country
- Spike in Number of connections Made from a Source IP
- Spike in Number of connections Made to a Destination IP
- Spike in Number of Processes in an RDP Session
- Spike in Privileged command Execution by a User
- Spike in Remote File Transfers
- Spike in Special Logon Events
- Spike in Special Privilege Use Events
- Spike in Successful Logon Events from a Source IP
- Spike in User Account Management Events
- Spike in User Lifecycle Management change Events
- Spike in host-based traffic
- Startup Folder Persistence via Unsigned Process
- Startup Persistence by a Suspicious Process
- Startup or Run Key Registry Modification
- Startup/Logon Script added to Group Policy Object
- Statistical Model Detected c2 Beaconing Activity
- Statistical Model Detected c2 Beaconing Activity with High confidence
- Stolen credentials Used to Login to Okta Account After MFA Reset
- Sublime Plugin or Application Script Modification
- Successful Application SSO from Rare Unknown client Device
- Successful SSH Authentication from Unusual IP Address
- Successful SSH Authentication from Unusual SSH Public Key
- Successful SSH Authentication from Unusual User
- Sudo command Enumeration Detected
- Sudo Heap-Based Buffer Overflow Attempt
- Sudoers File Modification
- Suspicious .NET code compilation
- Suspicious .NET Reflection via PowerShell
- Suspicious /proc/maps Discovery
- Suspicious APT Package Manager Execution
- Suspicious APT Package Manager Network connection
- Suspicious Access to LDAP Attributes
- Suspicious Activity Reported by Okta User
- Suspicious Antimalware Scan Interface DLL
- Suspicious Automator Workflows Execution
- Suspicious Browser child Process
- Suspicious calendar File Modification
- Suspicious certUtil commands
- Suspicious child Process of Adobe Acrobat Reader Update Service
- Suspicious cmd Execution via WMI
- Suspicious communication App child Process
- Suspicious content Extracted or Decompressed via Funzip
- Suspicious cronTab creation or Modification
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious Data Encryption via OpenSSL Utility
- Suspicious Dynamic Linker Discovery via od
- Suspicious Email Access by First-Party Application via Microsoft Graph
- Suspicious Emond child Process
- Suspicious Endpoint Security Parent Process
- Suspicious Execution from Foomatic-rip or cupsd Parent
- Suspicious Execution from INET cache
- Suspicious Execution from a Mounted Device
- Suspicious Execution via MSIEXEc
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Execution via Scheduled Task
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Explorer child Process
- Suspicious File creation via Kworker
- Suspicious File Downloaded from Google Drive
- Suspicious File Renamed via SMB
- Suspicious HTML File creation
- Suspicious Hidden child Process of Launchd
- Suspicious Image Load (taskschd.dll) from MS Office
- Suspicious ImagePath Service creation
- Suspicious Installer Package Spawns Network Event
- Suspicious Inter-Process communication via Outlook
- Suspicious JetBrains Teamcity child Process
- Suspicious Kernel Feature Activity
- Suspicious Kworker UID Elevation
- Suspicious LSASS Access via MalSecLogon
- Suspicious Lsass Process Access
- Suspicious MS Office child Process
- Suspicious MS Outlook child Process
- Suspicious Mailbox Permission Delegation in Exchange Online
- Suspicious Managed code Hosting Process
- Suspicious Memory grep Activity
- Suspicious Microsoft 365 Mail Access by clientAppId
- Suspicious Microsoft 365 UserLoggedIn via OAuth code
- Suspicious Microsoft Diagnostics Wizard Execution
- Suspicious Microsoft OAuth Flow via Auth Broker to DRS
- Suspicious Mining Process creation Event
- Suspicious Modprobe File Event
- Suspicious Module Loaded by LSASS
- Suspicious Named Pipe creation
- Suspicious Network Activity to the Internet by Previously Unknown Executable
- Suspicious Network connection via systemd
- Suspicious Network Tool Launched Inside A container
- Suspicious Outlook child Process
- Suspicious PDF Reader child Process
- Suspicious Passwd File Event Action
- Suspicious Path Invocation from command Line
- Suspicious Path Mounted
- Suspicious Portable Executable Encoded in Powershell Script
- Suspicious PowerShell Engine ImageLoad
- Suspicious Powershell Script
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Suspicious Print Spooler SPL File created
- Suspicious PrintSpooler Service Executable File creation
- Suspicious Proc Pseudo File System Enumeration
- Suspicious Process Access via Direct System call
- Suspicious Process creation callTrace
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious RDP ActiveX client Loaded
- Suspicious Remote Registry Access via SeBackupPrivilege
- Suspicious Renaming of ESXI Files
- Suspicious Renaming of ESXI index.html File
- Suspicious Screenconnect client child Process
- Suspicious Script Object Execution
- Suspicious Service was Installed in the System
- Suspicious SolarWinds child Process
- Suspicious Startup Shell Folder Modification
- Suspicious Symbolic Link created
- Suspicious Sysctl File Event
- Suspicious System commands Executed by Previously Unknown Executable
- Suspicious Termination of ESXI Process
- Suspicious Troubleshooting Pack cabinet Execution
- Suspicious Usage of bpf_probe_write_user Helper
- Suspicious Utility Launched via Proxychains
- Suspicious WMI Event Subscription created
- Suspicious WMI Image Load from MS Office
- Suspicious WMIc XSL Script Execution
- Suspicious Web Browser Sensitive File Access
- Suspicious WerFault child Process
- Suspicious Windows command Shell Arguments
- Suspicious Windows Powershell Arguments
- Suspicious Zoom child Process
- Suspicious macOS MS Office child Process
- Suspicious pbpaste High Volume Activity
- Suspicious rc.local Error Message
- Suspicious which Enumeration
- Svchost spawning cmd
- Symbolic Link to Shadow copy created
- System Binary Moved or copied
- System Binary Path File Permission Modification
- System Binary Symlink to Suspicious Location
- System Hosts File Access
- System Information Discovery via Windows command Shell
- System Log File Deletion
- System Network connections Discovery
- System Owner/User Discovery Linux
- System Service Discovery through built-in Windows Utilities
- System Shells via Services
- System Time Discovery
- System V Init Script created
- SystemKey Access via command Line
- Systemd Generator created
- Systemd Service created
- Systemd Service Started by Unusual Parent Process
- Systemd Shell Execution During Boot
- Systemd Timer created
- Systemd-udevd Rule File creation
- Tcc Bypass via Mounted APFS Snapshot Access
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
- Tampering of Shell command-Line History
- Temporarily Scheduled Task creation
- Third-party Backup Files Deleted via Unexpected Process
- Threat Intel Email Indicator Match
- Threat Intel Hash Indicator Match
- Threat Intel IP Address Indicator Match
- Threat Intel URL Indicator Match
- Threat Intel Windows Registry Indicator Match
- Timestomping using Touch command
- Trap Signals Execution
- UAc Bypass Attempt via Elevated cOM Internet Explorer Add-On Installer
- UAc Bypass Attempt via Privileged IFileOperation cOM Interface
- UAc Bypass Attempt via Windows Directory Masquerading
- UAc Bypass Attempt with IEditionUpgradeManager Elevated cOM Interface
- UAc Bypass via Diskcleanup Scheduled Task Hijack
- UAc Bypass via IcMLuaUtil Elevated cOM Interface
- UAc Bypass via Windows Firewall Snap-In Hijack
- UID Elevation from Previously Unknown Executable
- Unauthorized Access to an Okta Application
- Unauthorized Scope for Public App OAuth2 Token Grant with client credentials
- Uncommon Destination Port connection by Web Server
- Uncommon Registry Persistence change
- Unexpected child Process of macOS Screensaver Engine
- Unix Socket connection
- Unknown Execution of Binary with RWX Memory Region
- Unsigned BITS Service client Process
- Unsigned DLL Loaded by Svchost
- Unsigned DLL Loaded by a Trusted Process
- Unsigned DLL Side-Loading from a Suspicious Folder
- Unsigned DLL loaded by DNS Service
- Untrusted DLL Loaded by Azure AD Sync Service
- Untrusted Driver Loaded
- Unusual AWS command for a User
- Unusual AWS S3 Object Encryption with SSE-c
- Unusual Base64 Encoding/Decoding Activity
- Unusual child Process from a System Virtual Process
- Unusual child Process of dns.exe
- Unusual child Processes of RunDLL32
- Unusual city For an AWS command
- Unusual command Execution from Web Server Parent
- Unusual country For an AWS command
- Unusual D-Bus Daemon child Process
- Unusual DNS Activity
- Unusual DPKG Execution
- Unusual Discovery Activity by User
- Unusual Discovery Signal Alert with Unusual Process command Line
- Unusual Discovery Signal Alert with Unusual Process Executable
- Unusual Executable File creation by a System critical Process
- Unusual Execution from Kernel Thread (kthreadd) Parent
- Unusual Execution via Microsoft common console File
- Unusual Exim4 child Process
- Unusual File creation - Alternate Data Stream
- Unusual File creation by Web Server
- Unusual File Modification by dns.exe
- Unusual File Transfer Utility Launched
- Unusual Group Name Accessed by a User
- Unusual High confidence content Filter Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Word Policy Blocks Detected
- Unusual Host Name for Okta Privileged Operations Detected
- Unusual Host Name for Windows Privileged Operations Detected
- Unusual Hour for a User to Logon
- Unusual Instance Metadata Service (IMDS) API Request
- Unusual Interactive Process Launched in a container
- Unusual Interactive Shell Launched from System User
- Unusual LD_PRELOAD/LD_LIBRARY_PATH command Line Arguments
- Unusual Linux Network Activity
- Unusual Linux Network configuration Discovery
- Unusual Linux Network connection Discovery
- Unusual Linux Network Port Activity
- Unusual Linux Process calling the Metadata Service
- Unusual Linux Process Discovery Activity
- Unusual Linux System Information Discovery Activity
- Unusual Linux User calling the Metadata Service
- Unusual Linux User Discovery Activity
- Unusual Linux Username
- Unusual Login Activity
- Unusual Network Activity from a Windows System Binary
- Unusual Network connection to Suspicious Top Level Domain
- Unusual Network connection to Suspicious Web Service
- Unusual Network connection via DllHost
- Unusual Network connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent Process for cmd.exe
- Unusual Parent-child Relationship
- Unusual Persistence via Services Registry
- Unusual Pkexec Execution
- Unusual Preload Environment Variable Process Execution
- Unusual Print Spooler child Process
- Unusual Privilege Type assigned to a User
- Unusual Process Detected for Privileged commands by a User
- Unusual Process Execution Path - Alternate Data Stream
- Unusual Process Execution on WBEM Path
- Unusual Process Extension
- Unusual Process For MSSQL Service Accounts
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network connection
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process
- Unusual Process Spawned by a User
- Unusual Process Spawned from Web Server Parent
- Unusual Process Writing Data to an External Device
- Unusual Region Name for Okta Privileged Operations Detected
- Unusual Region Name for Windows Privileged Operations Detected
- Unusual Remote File creation
- Unusual Remote File Directory
- Unusual Remote File Extension
- Unusual Remote File Size
- Unusual SSHD child Process
- Unusual Scheduled Task Update
- Unusual Service Host child Process - childless Service
- Unusual Source IP for Okta Privileged Operations Detected
- Unusual Source IP for Windows Privileged Operations Detected
- Unusual Source IP for a User to Logon from
- Unusual Spike in concurrent Active Sessions by a User
- Unusual Sudo Activity
- Unusual Time or Day for an RDP Session
- Unusual User Privilege Enumeration via id
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Process calling the Metadata Service
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User calling the Metadata Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account creation
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- User Added to Privileged Group in Active Directory
- User Added to the Admin Group
- User Detected with Suspicious Windows Process(es)
- User account exposed to Kerberoasting
- User or Group creation/Modification
- VNc (Virtual Network computing) from the Internet
- VNc (Virtual Network computing) to the Internet
- Veeam Backup Library Loaded by Unusual Process
- Virtual Machine Fingerprinting
- Virtual Machine Fingerprinting via Grep
- Virtual Private Network connection Attempt
- Volume Shadow copy Deleted or Resized via VssAdmin
- Volume Shadow copy Deletion via PowerShell
- Volume Shadow copy Deletion via WMIc
- WDAc Policy File by an Unusual Process
- WMI Incoming Lateral Movement
- WMI WBEMTEST Utility Execution
- WMIc Remote command
- WPS Office Exploitation via DLL Hijack
- WRITEDAc Access on Active Directory Object
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Web Server Spawned via Python
- Web Shell Detection: Script Process child of common Web Processes
- WebProxy Settings Modification
- WebServer Access Logs Deleted
- Werfault ReflectDebugger Persistence
- Whoami Process Activity
- Windows Account or Group Discovery
- Windows cryptoAPI Spoofing Vulnerability (cVE-2020-0601 - curveBall)
- Windows Defender Disabled via Registry Modification
- Windows Defender Exclusions Added via PowerShell
- Windows Event Logs cleared
- Windows Firewall Disabled via PowerShell
- Windows Installer with Suspicious Properties
- Windows Network Enumeration
- Windows Registry File creation in SMB Share
- Windows Sandbox with Sensitive configuration
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI
- Windows Service Installed via an Unusual client
- Windows Subsystem for Linux Distribution Installed
- Windows Subsystem for Linux Enabled via Dism Utility
- Windows System Information Discovery
- Windows System Network connections Discovery
- Wireless credential Dumping using Netsh command
- Yum Package Manager Plugin File creation
- Yum/DNF Plugin Status Discovery
- Zoom Meeting with no Passcode
- dMSA Account creation by an Unusual User
- rc.local/rc.common File creation
- Downloadable rule updates
- configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- cloud Security
- Dashboards
- Explore
- Advanced Entity Analytics
- Investigation tools
- Elastic Security APIs
- Elastic Security fields and object schemas
- Troubleshooting
- Release notes
A newer version is available. check out the latest documentation.