- Elastic Security: other versions:
- Elastic Security overview
- What’s new in 8.18
- Upgrade Elastic Security to 8.18.3
- Post-upgrade steps (optional)
- Get started with Elastic Security
- AI for Security
- detections and alerts
- detections requirements
- Using logsdb index mode with Elastic Security
- About detection rules
- Create a detection rule
- Install and manage Elastic prebuilt rules
- Manage detection rules
- Monitor and troubleshoot rule executions
- Rule exceptions
- About building block rules
- MITRE ATT&CK® coverage
- Manage detection alerts
- Reduce notifications and alerts
- Query alert indices
- Tune detection rules
- Prebuilt rule reference
- A scheduled task was created
- APT Package Manager Configuration File Creation
- AWS Access Token Used from Multiple Addresses
- AWS Bedrock detected Multiple Attempts to use denied Models by a Single User
- AWS Bedrock detected Multiple Validation Exception Errors by a Single User
- AWS Bedrock Guardrails detected Multiple Policy Violations Within a Single Blocked Request
- AWS Bedrock Guardrails detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails detected by a Single User Over a Session
- AWS CLI Command with Custom Endpoint URL
- AWS CLI with Kali Linux Fingerprint Identified
- AWS CloudTrail Log Created
- AWS CloudTrail Log deleted
- AWS CloudTrail Log Evasion
- AWS CloudTrail Log Suspended
- AWS CloudTrail Log Updated
- AWS CloudWatch Alarm deletion
- AWS CloudWatch Log Group deletion
- AWS CloudWatch Log Stream deletion
- AWS Config Resource deletion
- AWS Configuration Recorder Stopped
- AWS Credentials Searched For Inside A Container
- AWS deletion of RdS Instance or Cluster
- AWS discovery API Calls via CLI from a Single Resource
- AWS dynamodB Scan by Unusual User
- AWS dynamodB Table Exported to S3
- AWS EC2 deprecated AMI discovery
- AWS EC2 EBS Snapshot Access Removed
- AWS EC2 EBS Snapshot Shared or Made Public
- AWS EC2 Encryption disabled
- AWS EC2 Full Network Packet Capture detected
- AWS EC2 Instance Connect SSH Public Key Uploaded
- AWS EC2 Instance Console Login via Assumed Role
- AWS EC2 Instance Interaction with IAM Service
- AWS EC2 Multi-Region describeInstances API Calls
- AWS EC2 Network Access Control List Creation
- AWS EC2 Network Access Control List deletion
- AWS EC2 Route Table Modified or deleted
- AWS EC2 Security Group Configuration Change
- AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
- AWS EC2 User data Retrieval for EC2 Instance
- AWS EC2 VM Export Failure
- AWS EFS File System or Mount deleted
- AWS ElastiCache Security Group Created
- AWS ElastiCache Security Group Modified or deleted
- AWS EventBridge Rule disabled or deleted
- AWS Guardduty detector deletion
- AWS IAM API Calls via Temporary Session Tokens
- AWS IAM AdministratorAccess Policy Attached to Group
- AWS IAM AdministratorAccess Policy Attached to Role
- AWS IAM AdministratorAccess Policy Attached to User
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM CompromisedKeyQuarantine Policy Attached to User
- AWS IAM Create User via Assumed Role on EC2 Instance
- AWS IAM Customer-Managed Policy Attached to Role by Rare User
- AWS IAM deactivation of MFA device
- AWS IAM Group Creation
- AWS IAM Group deletion
- AWS IAM Login Profile Added for Root
- AWS IAM Login Profile Added to User
- AWS IAM Password Recovery Requested
- AWS IAM Roles Anywhere Profile Creation
- AWS IAM Roles Anywhere Trust Anchor Created with External CA
- AWS IAM SAML Provider Updated
- AWS IAM User Addition to Group
- AWS IAM User Created Access Keys For Another User
- AWS IAM Virtual MFA device Registration Attempt with Session Token
- AWS KMS Customer Managed Key disabled or Scheduled for deletion
- AWS Lambda Function Created or Updated
- AWS Lambda Function Policy Updated to Allow Public Invocation
- AWS Lambda Layer Added to Existing Function
- AWS Management Console Brute Force of Root User Identity
- AWS Management Console Root Login
- AWS RdS Cluster Creation
- AWS RdS dB Instance Made Public
- AWS RdS dB Instance Restored
- AWS RdS dB Instance or Cluster deletion Protection disabled
- AWS RdS dB Instance or Cluster Password Modified
- AWS RdS dB Snapshot Created
- AWS RdS dB Snapshot Shared with Another Account
- AWS RdS Instance Creation
- AWS RdS Instance/Cluster Stoppage
- AWS RdS Security Group Creation
- AWS RdS Security Group deletion
- AWS RdS Snapshot deleted
- AWS RdS Snapshot Export
- AWS Redshift Cluster Creation
- AWS Root Login Without MFA
- AWS Route 53 domain Transfer Lock disabled
- AWS Route 53 domain Transferred to Another Account
- AWS Route Table Created
- AWS Route53 private hosted zone associated with a VPC
- AWS S3 Bucket Configuration deletion
- AWS S3 Bucket Enumeration or Brute Force
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Bucket Policy Added to Share with External Account
- AWS S3 Bucket Replicated to Another Account
- AWS S3 Bucket Server Access Logging disabled
- AWS S3 Object Encryption Using External KMS Key
- AWS S3 Object Versioning Suspended
- AWS S3 Static Site JavaScript File Uploaded
- AWS S3 Unauthenticated Bucket Access by Rare Source
- AWS SNS Email Subscription by Rare User
- AWS SNS Topic Created by Rare User
- AWS SQS Queue Purge
- AWS SSM Command document Created by Rare User
- AWS SSM
SendCommandExecution by Rare User - AWS SSM
SendCommandwith Run Shell Command Parameters - AWS STS AssumeRole with New MFA device
- AWS STS AssumeRoot by Rare User and Member Account
- AWS STS GetCallerIdentity API Called for the First Time
- AWS STS GetSessionToken Abuse
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS STS Role Chaining
- AWS Service Quotas Multi-Region
GetServiceQuotaRequests - AWS Signin Single Factor Console Login with Federated User
- AWS Systems Manager SecureString Parameter Request with decryption Flag
- AWS VPC Flow Logs deletion
- AWS WAF Access Control List deletion
- AWS WAF Rule or Rule Group deletion
- Abnormal Process Id or Lock File Created
- Abnormally Large dNS Response
- Accepted default Telnet Port Connection
- Access Control List Modification via setfacl
- Access to a Sensitive LdAP Attribute
- Accessing Outlook data Files
- Account Configured with Never-Expiring Password
- Account discovery Command via SYSTEM Account
- Account Password Reset Remotely
- Account or Group discovery via Built-In Tools
- Active directory Forced Authentication from Linux Host - SMB Named Pipes
- Active directory Group Modification by SYSTEM
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib
- AdminSdHolder Backdoor
- AdminSdHolder SdProp Exclusion Added
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Adobe Hijack Persistence
- Adversary Behavior - detected - Elastic Endgame
- Agent Spoofing - Mismatched Agent Id
- Agent Spoofing - Multiple Hosts Using Same Agent
- Alternate data Stream Creation/Execution at Volume Root directory
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges
- Application Added to Google Workspace domain
- Application Removed from Blocklist in Google Workspace
- Archive File with Unusual Extension
- At Job Created or Modified
- At.exe Command Lateral Movement
- Attempt to Clear Kernel Ring Buffer
- Attempt to Create Okta API Token
- Attempt to deactivate an Okta Application
- Attempt to deactivate an Okta Network Zone
- Attempt to deactivate an Okta Policy
- Attempt to deactivate an Okta Policy Rule
- Attempt to delete an Okta Application
- Attempt to delete an Okta Network Zone
- Attempt to delete an Okta Policy
- Attempt to delete an Okta Policy Rule
- Attempt to disable Auditd Service
- Attempt to disable Gatekeeper
- Attempt to disable IPTables or Firewall
- Attempt to disable Syslog Service
- Attempt to Enable the Root Account
- Attempt to Establish VScode Remote Tunnel
- Attempt to Install Kali Linux via WSL
- Attempt to Install Root Certificate
- Attempt to Modify an Okta Application
- Attempt to Modify an Okta Network Zone
- Attempt to Modify an Okta Policy
- Attempt to Modify an Okta Policy Rule
- Attempt to Mount SMB Share via Command Line
- Attempt to Reset MFA Factors for an Okta User Account
- Attempt to Revoke Okta API Token
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Attempted Bypass of Okta MFA
- Attempted Private Key Access
- Attempts to Brute Force an Okta User Account
- Authentication via Unusual PAM Grantor
- Authorization Plugin Modification
- Azure Ad Global Administrator Role Assigned
- Azure Active directory High Risk User Sign-in Heuristic
- Azure Active directory PowerShell Sign-in
- Azure Alert Suppression Rule Created or Modified
- Azure Application Credential Modification
- Azure Automation Account Created
- Azure Automation Runbook Created or Modified
- Azure Automation Runbook deleted
- Azure Automation Webhook Created
- Azure Blob Container Access Level Modification
- Azure Blob Permissions Modification
- Azure Command Execution on Virtual Machine
- Azure diagnostic Settings deletion
- Azure Entra Id Rare App Id for Principal Authentication
- Azure Entra MFA TOTP Brute Force Attempts
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub deletion
- Azure External Guest User Invitation
- Azure Firewall Policy deletion
- Azure Frontdoor Web Application Firewall (WAF) Policy deleted
- Azure Full Network Packet Capture detected
- Azure Global Administrator Role Addition to PIM User
- Azure Key Vault Modified
- Azure Kubernetes Events deleted
- Azure Kubernetes Pods deleted
- Azure Kubernetes Rolebindings Created
- Azure Network Watcher deletion
- Azure OpenAI Insecure Output Handling
- Azure Privilege Identity Management Role Modified
- Azure Resource Group deletion
- Azure Storage Account Key Regenerated
- BPF filter applied using TC
- Backup deletion with Wbadmin
- Base16 or Base32 Encoding/decoding Activity
- Base64 decoded Payload Piped to Interpreter
- Bash Shell Profile Modification
- Behavior - detected - Elastic defend
- Behavior - Prevented - Elastic defend
- Binary Content Copy via Cmd.exe
- Binary Executed from Shared Memory directory
- Bitsadmin Activity
- BloodHound Suite User-Agents detected
- Boot File Copy
- Browser Extension Install
- Bypass UAC via Event Viewer
- CAP_SYS_AdMIN Assigned to Binary
- Chkconfig Service Add
- Clearing Windows Console History
- Clearing Windows Event Logs
- Cobalt Strike Command and Control Beacon
- Code Signing Policy Modification Through Built-in tools
- Code Signing Policy Modification Through Registry
- Command Execution via ForFiles
- Command Execution via SolarWinds Process
- Command Prompt Network Connection
- Command Shell Activity Started via RundLL32
- Command and Scripting Interpreter via Windows Scripts
- Component Object Model Hijacking
- Compression dLL Loaded by Unusual Process
- Conhost Spawned By Suspicious Parent Process
- Connection to Commonly Abused Free SSL Certificate Providers
- Connection to Commonly Abused Web Services
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Container Management Utility Run Inside A Container
- Control Panel Process with Unusual Arguments
- Creation of Hidden Files and directories via CommandLine
- Creation of Hidden Launch Agent or daemon
- Creation of Hidden Login Item via Apple Script
- Creation of Hidden Shared Object File
- Creation of Kernel Module
- Creation of SettingContent-ms Files
- Creation of a dNS-Named Record
- Creation of a Hidden Local User Account
- Creation or Modification of domain Backup dPAPI private key
- Creation or Modification of Pluggable Authentication Module or Configuration
- Creation or Modification of Root Certificate
- Creation or Modification of a new GPO Scheduled Task or Service
- Credential Acquisition via Registry Hive dumping
- Credential dumping - detected - Elastic Endgame
- Credential dumping - Prevented - Elastic Endgame
- Credential Manipulation - detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame
- Cron Job Created or Modified
- Cupsd or Foomatic-rip Shell Execution
- Curl SOCKS Proxy Activity from Unusual Parent
- CyberArk Privileged Access Security Error
- CyberArk Privileged Access Security Recommended Monitor
- d-Bus Service Created
- dNF Package Manager Plugin File Creation
- dNS Global Query Block List Modified or disabled
- dNS Tunneling
- dNS-over-HTTPS Enabled via Registry
- dPKG Package Installed by Unusual Parent Process
- decline in host-based traffic
- default Cobalt Strike Team Server Certificate
- delayed Execution via Ping
- delegated Managed Service Account Modification by an Unusual User
- delete Volume USN Journal with Fsutil
- deprecated - AWS EC2 Snapshot Activity
- deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- deprecated - Azure Virtual Network device Modified or deleted
- deprecated - Launchdaemon Creation or Modification and Immediate Loading
- directory Creation in /bin directory
- disable Windows Event and Security Logs Using Built-in Tools
- disable Windows Firewall Rules via Netsh
- disabling Lsa Protection via Registry Modification
- disabling User Account Control via Registry Modification
- disabling Windows defender Security Settings via PowerShell
- discovery of domain Groups
- discovery of Internet Capabilities via Built-in Tools
- docker Escape via Nsenter
- docker Release File Creation
- docker Socket Enumeration
- domain Added to Google Workspace Trusted domains
- downloaded Shortcut Files
- downloaded URL Files
- dracut Module Creation
- dumping Account Hashes via Built-In Commands
- dumping of Keychain Content via Security Command
- dynamic IEX Reconstruction via Method String Access
- dynamic Linker (ld.so) Creation
- dynamic Linker Copy
- dynamic Linker Creation or Modification
- EC2 AMI Shared with Another Account
- ESXI discovery via Find
- ESXI discovery via Grep
- ESXI Timestomping using Touch Command
- EggShell Backdoor Execution
- Egress Connection from Entrypoint in Container
- Elastic Agent Service Terminated
- Emond Rules Creation or Modification
- Enable Host Network discovery via Netsh
- Encoded Executable Stored in the Registry
- Encrypting Files with WinRar or 7z
- Endpoint Security (Elastic defend)
- Entra Id device Code Auth with Broker Client
- Entra Id Protection - Risk detection - Sign-in Risk
- Entra Id Protection - Risk detection - User Risk
- Entra Id RT to PRT Transition from Same User and device
- Entra Id User Signed In from Unusual device
- Enumerating domain Trusts via dSQUERY.EXE
- Enumerating domain Trusts via NLTEST.EXE
- Enumeration Command Spawned via WMIPrvSE
- Enumeration of Administrator Accounts
- Enumeration of Kernel Modules
- Enumeration of Kernel Modules via Proc
- Enumeration of Privileged Local Groups Membership
- Enumeration of Users or Groups via Built-in Commands
- Excessive AWS S3 Object Encryption with SSE-C
- Excessive Microsoft 365 Mailbox Items Accessed
- Exchange Mailbox Export via PowerShell
- Executable Bit Set for Potential Persistence Script
- Executable File Creation with Multiple Extensions
- Executable File with Unusual Extension
- Executable Masquerading as Kernel Process
- Execution from Unusual directory - Command Line
- Execution from a Removable Media with Network Connection
- Execution of COM object via Xwizard
- Execution of File Written or Modified by Microsoft Office
- Execution of File Written or Modified by PdF Reader
- Execution of Persistent Suspicious Program
- Execution of a downloaded Windows Script
- Execution of an Unsigned Service
- Execution via Electron Child Process Node.js Module
- Execution via MS VisualStudio Pre/Post Build Events
- Execution via MSSQL xp_cmdshell Stored Procedure
- Execution via Microsoft dotNet ClickOnce Host
- Execution via TSClient Mountpoint
- Execution via Windows Command debugging Utility
- Execution via Windows Subsystem for Linux
- Execution via local SxS Shared Module
- Execution with Explicit Credentials via Scripting
- Expired or Revoked driver Loaded
- Exploit - detected - Elastic Endgame
- Exploit - Prevented - Elastic Endgame
- Exporting Exchange Mailbox via PowerShell
- External Alerts
- External IP Lookup from Non-Browser Process
- External User Added to Google Workspace Group
- File Compressed or Archived into Common Format by Unsigned Process
- File Creation Time Changed
- File Creation by Cups or Foomatic-rip Child
- File Creation in /var/log via Suspicious Process
- File Creation, Execution and Self-deletion in Suspicious directory
- File deletion via Shred
- File Made Executable via Chmod Inside A Container
- File Permission Modification in Writable directory
- File Staged in Root Folder of Recycle Bin
- File System debugger Launched Inside a Container
- File Transfer or Listener Established via Netcat
- File and directory Permissions Modification
- File made Immutable by Chattr
- File or directory deletion Command
- File with Right-to-Left Override Character (RTLO) Created/Executed
- File with Suspicious Extension downloaded
- Finder Sync Plugin Registered and Enabled
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of Entra Id Auth via deviceCode Protocol
- First Occurrence of GitHub Repo Interaction From a New IP
- First Occurrence of GitHub User Interaction with Private Repo
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub User
- First Occurrence of Okta User Session Started via Proxy
- First Occurrence of Personal Access Token (PAT) Use For a GitHub User
- First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
- First Occurrence of STS GetFederationToken Request by User
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Occurrence of User-Agent For a GitHub User
- First Time AWS Cloudformation Stack Creation by User
- First Time Seen AWS Secret Value Accessed in Secrets Manager
- First Time Seen Commonly Abused Remote Access Tool Execution
- First Time Seen driver Loaded
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- First Time Seen NewCredentials Logon Process
- First Time Seen Removable device
- FirstTime Seen Account Performing dCSync
- Forbidden Request from Unusual User Agent in Kubernetes
- Forwarded Google Workspace Security Alert
- Full User-Mode dumps Enabled System-Wide
- GCP Firewall Rule Creation
- GCP Firewall Rule deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation
- GCP IAM Role deletion
- GCP IAM Service Account Key deletion
- GCP Logging Bucket deletion
- GCP Logging Sink deletion
- GCP Logging Sink Modification
- GCP Pub/Sub Subscription Creation
- GCP Pub/Sub Subscription deletion
- GCP Pub/Sub Topic Creation
- GCP Pub/Sub Topic deletion
- GCP Service Account Creation
- GCP Service Account deletion
- GCP Service Account disabled
- GCP Service Account Key Creation
- GCP Storage Bucket Configuration Modification
- GCP Storage Bucket deletion
- GCP Storage Bucket Permissions Modification
- GCP Virtual Private Cloud Network deletion
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route deletion
- GRUB Configuration File Creation
- GRUB Configuration Generation through Built-in Utilities
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Created or Modified
- Git Hook Egress Network Connection
- Git Repository or File download to Suspicious directory
- GitHub App deleted
- GitHub Owner Role Granted To User
- GitHub PAT Access Revoked
- GitHub Protected Branch Settings Changed
- GitHub Repo Created
- GitHub Repository deleted
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub User Blocked From Organization
- Google drive Ownership Transferred via Google Workspace
- Google Workspace 2SV Policy disabled
- Google Workspace API Access Granted via domain-Wide delegation
- Google Workspace Admin Role Assigned to a User
- Google Workspace Admin Role deletion
- Google Workspace Bitlocker Setting disabled
- Google Workspace Custom Admin Role Created
- Google Workspace Custom Gmail Route Created or Modified
- Google Workspace drive Encryption Key(s) Accessed from Anonymous User
- Google Workspace MFA Enforcement disabled
- Google Workspace Object Copied to External drive with App Consent
- Google Workspace Password Policy Modified
- Google Workspace Restrictions for Marketplace Modified to Allow Any App
- Google Workspace Role Modified
- Google Workspace Suspended User Account Renewed
- Google Workspace User Organizational Unit Changed
- Group Policy Abuse for Privilege Addition
- Group Policy discovery via Microsoft GPResult Utility
- Halfbaked Command and Control Beacon
- Hidden directory Creation via Unusual Parent
- Hidden Files and directories via Hidden Flag
- High Command Line Entropy detected for Privileged Commands
- High Mean of Process Arguments in an RdP Session
- High Mean of RdP Session duration
- High Number of Cloned GitHub Repos From PAT
- High Number of Egress Network Connections from Unusual Executable
- High Number of Okta device Token Cookies Generated for Authentication
- High Number of Okta User Password Reset or Unlock Attempts
- High Number of Process Terminations
- High Number of Process and/or Service Terminations
- High Variance in RdP Session duration
- Host detected with Suspicious Windows Process(es)
- Host Files System Changes via Windows Subsystem for Linux
- Hosts File Modified
- Hping Process Activity
- IIS HTTP Logging disabled
- IPSEC NAT Traversal Port Activity
- IPv4/IPv6 Forwarding Activity
- Image File Execution Options Injection
- Image Loaded with Invalid Signature
- ImageLoad via Windows Update Auto Update Client
- Inbound Connection to an Unsecure Elasticsearch Node
- Incoming dCOM Lateral Movement via MSHTA
- Incoming dCOM Lateral Movement with MMC
- Incoming dCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- Indirect Command Execution via Forfiles/Pcalua
- Ingress Transfer via Windows BITS
- Initramfs Extraction via CPIO
- Initramfs Unpacking via unmkinitramfs
- Insecure AWS EC2 VPC Security Group Ingress Rule Added
- InstallUtil Activity
- InstallUtil Process Making Network Connections
- Installation of Custom Shim databases
- Installation of Security Support Provider
- Interactive Logon by an Unusual Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- KRBTGT delegation Backdoor
- Kerberos Cached Credentials dumping
- Kerberos Pre-authentication disabled for User
- Kerberos Traffic from Unusual Process
- Kernel driver Load
- Kernel driver Load by non-root User
- Kernel Load or Unload via Kexec detected
- Kernel Module Load via insmod
- Kernel Module Removal
- Kernel Object File Creation
- Kernel Seeking Activity
- Kernel Unpacking Activity
- Keychain CommandLine Interaction via Unsigned or Untrusted Process
- Keychain Password Retrieval via Command Line
- Kill Command Execution
- Kirbi File Creation
- Kubeconfig File Creation or Modification
- Kubeconfig File discovery
- Kubectl Apply Pod from URL
- Kubectl Configuration discovery
- Kubectl Network Configuration Modification
- Kubectl Permission discovery
- Kubectl Workload and Cluster discovery
- Kubernetes Anonymous Request Authorized
- Kubernetes Container Created with Excessive Linux Capabilities
- Kubernetes denied Service Account Request
- Kubernetes direct API Request via Curl or Wget
- Kubernetes Events deleted
- Kubernetes Exposed Service Created With Type NodePort
- Kubernetes Forbidden Creation Request
- Kubernetes Pod Created With HostIPC
- Kubernetes Pod Created With HostNetwork
- Kubernetes Pod Created With HostPId
- Kubernetes Pod created with a Sensitive hostPath Volume
- Kubernetes Privileged Pod Created
- Kubernetes Sensitive Configuration File Activity
- Kubernetes Service Account Secret Access
- Kubernetes Suspicious Assignment of Controller Service Account
- Kubernetes Suspicious Self-Subject Review
- Kubernetes User Exec into Pod
- LSASS Memory dump Creation
- LSASS Memory dump Handle Access
- LSASS Process Access via Windows API
- Lateral Movement via Startup Folder
- Launch Service Creation and Immediate Loading
- Linux Clipboard Activity detected
- Linux Group Creation
- Linux Process Hooking via GdB
- Linux Restricted Shell Breakout via Linux Binary(s)
- Linux SSH X11 Forwarding
- Linux System Information discovery
- Linux System Information discovery via Getconf
- Linux Telegram API Request
- Linux User Account Creation
- Linux User Account Credential Modification
- Linux User Added to Privileged Group
- Linux init (PId 1) Secret dump via GdB
- Loadable Kernel Module Configuration File Creation
- Local Account TokenFilter Policy disabled
- Local Scheduled Task Creation
- Login via Unusual System User
- M365 Onedrive Excessive File downloads with OAuth Token
- MFA deactivation with no Re-Activation for Okta User Account
- MFA disabled for Google Workspace Organization
- MS Office Macro Security Registry Modifications
- Machine Learning detected dGA activity using a known SUNBURST dNS domain
- Machine Learning detected a dNS Request Predicted to be a dGA domain
- Machine Learning detected a dNS Request With a High dGA Probability Score
- Machine Learning detected a Suspicious Windows Event with a High Malicious Probability Score
- Machine Learning detected a Suspicious Windows Event with a Low Malicious Probability Score
- Malicious File - detected - Elastic defend
- Malicious File - Prevented - Elastic defend
- Malware - detected - Elastic Endgame
- Malware - Prevented - Elastic Endgame
- Manual dracut Execution
- Manual Memory dumping via Proc Filesystem
- Manual Mount discovery via /etc/exports or /etc/fstab
- Masquerading Space After Filename
- Member Removed From GitHub Organization
- Memory dump File with Unusual Extension
- Memory Swap Modification
- Memory Threat - detected - Elastic defend
- Memory Threat - Prevented- Elastic defend
- Message-of-the-day (MOTd) File Creation
- Microsoft 365 Brute Force via Entra Id Sign-Ins
- Microsoft 365 Exchange Anti-Phish Policy deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange dKIM Signing Configuration disabled
- Microsoft 365 Exchange dLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Attachment Rule disabled
- Microsoft 365 Exchange Safe Link Policy disabled
- Microsoft 365 Exchange Transport Rule Creation
- Microsoft 365 Exchange Transport Rule Modification
- Microsoft 365 Global Administrator Role Assigned
- Microsoft 365 Illicit Consent Grant via Registered Application
- Microsoft 365 Inbox Forwarding Rule Created
- Microsoft 365 OAuth Phishing via Visual Studio Code Client
- Microsoft 365 OAuth Redirect to device Registration for User Principal
- Microsoft 365 Portal Login from Rare Location
- Microsoft 365 Portal Logins from Impossible Travel Locations
- Microsoft 365 Potential ransomware activity
- Microsoft 365 Suspicious Inbox Rule to delete or Move Emails
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Microsoft 365 Unusual Volume of File deletion
- Microsoft 365 User Restricted from Sending Email
- Microsoft Azure or Mail Sign-in from a Suspicious Source
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft Entra Id Concurrent Sign-Ins with Suspicious Properties
- Microsoft Entra Id Conditional Access Policy (CAP) Modified
- Microsoft Entra Id Elevated Access to User Access Administrator
- Microsoft Entra Id Exccessive Account Lockouts detected
- Microsoft Entra Id High Risk Sign-in
- Microsoft Entra Id Illicit Consent Grant via Registered Application
- Microsoft Entra Id OAuth Phishing via Visual Studio Code Client
- Microsoft Entra Id Protection - Risk detections
- Microsoft Entra Id Rare Authentication Requirement for Principal User
- Microsoft Entra Id Service Principal Created
- Microsoft Entra Id Service Principal Credentials Added by Rare User
- Microsoft Entra Id Session Reuse with Suspicious Graph Access
- Microsoft Entra Id SharePoint Access for User Principal via Auth Broker
- Microsoft Entra Id Sign-In Brute Force Activity
- Microsoft Entra Id Suspicious Cloud device Registration
- Microsoft Entra Id User Reported Suspicious Activity
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Transport Agent Install Script
- Microsoft Exchange Worker Spawning Suspicious Processes
- Microsoft Graph First Occurrence of Client Request
- Microsoft IIS Connection Strings decryption
- Microsoft IIS Service Account Password dumped
- Microsoft Management Console File from Unusual Path
- Microsoft Windows defender Tampering
- Mimikatz Memssp Log File detected
- Modification of AmsiEnable Registry Key
- Modification of Boot Configuration
- Modification of dynamic Linker Preload Shared Object
- Modification of Environment Variable via Unsigned or Untrusted Parent
- Modification of OpenSSH Binaries
- Modification of Safari Settings via defaults Command
- Modification of Standard Authentication Module or Configuration
- Modification of Wdigest Security Provider
- Modification of the msPKIAccountCredentials
- Modification or Removal of an Okta Application Sign-On Policy
- Mofcomp Activity
- Mount Launched Inside a Container
- Mounting Hidden or Webdav Remote Shares
- MsBuild Making Network Connections
- Mshta Making Network Connections
- MsiExec Service Child Process With Network Connection
- Multi-Factor Authentication disabled for an Azure User
- Multiple Alerts Involving a User
- Multiple Alerts in different ATT&CK Tactics on a Single Host
- Multiple device Token Hashes for Single Okta Session
- Multiple Logon Failure Followed by Logon Success
- Multiple Logon Failure from the same Source Address
- Multiple Microsoft 365 User Account Lockouts in Short Time Window
- Multiple Microsoft Entra Id Protection Alerts by User Principal
- Multiple Okta Sessions detected for a Single User
- Multiple Okta User Auth Events with Same device Token Hash Behind a Proxy
- Multiple Okta User Authentication Events with Client Address
- Multiple Okta User Authentication Events with Same device Token Hash
- Multiple Vault Web Credentials Read
- My First Rule
- NTdS dump via Wbadmin
- NTdS or SAM database File Copied
- Namespace Manipulation Using Unshare
- Netcat Listener Established via rlwrap
- Netsh Helper dLL
- Network Activity detected via Kworker
- Network Activity detected via cat
- Network Connection Initiated by SSHd Child Process
- Network Connection by Cups or Foomatic-rip Child
- Network Connection from Binary with RWX Memory Region
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Recently Compiled Executable
- Network Connection via Registration Utility
- Network Connection via Signed Binary
- Network Connection via Sudo Binary
- Network Connections Initiated Through XdG Autostart Entry
- Network Logon Provider Registry Modification
- Network Traffic Capture via CAP_NET_RAW
- Network Traffic to Rare destination Country
- Network-Level Authentication (NLA) disabled
- NetworkManager dispatcher Script Creation
- New ActiveSyncAlloweddeviceId Added via PowerShell
- New GitHub App Installed
- New GitHub Owner Added
- New Okta Authentication Behavior detected
- New Okta Identity Provider (IdP) Added by Admin
- New User Added To GitHub Organization
- New or Modified Federation domain
- Nping Process Activity
- NullSessionPipe Registry Modification
- O365 Email Reported by User as Malware or Phish
- O365 Excessive Single Sign-On Logon Errors
- O365 Mailbox Audit Logging Bypass
- Office Test Registry Persistence
- Okta Brute Force or Password Spraying Attack
- Okta FastPass Phishing detection
- Okta Sign-In Events via Third-Party IdP
- Okta ThreatInsight Threat Suspected Promotion
- Okta User Session Impersonation
- Okta User Sessions Started from different Geolocations
- Onedrive Malware File Upload
- OpenSSL Password Hash Generation
- Openssl Client or Server Activity
- Outbound Scheduled Task Activity via PowerShell
- Outlook Home Page Registry Modification
- Parent Process detected with Suspicious Windows Process(es)
- Parent Process PId Spoofing
- Peripheral device discovery
- Permission Theft - detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame
- Persistence via BITS Job Notify Cmdline
- Persistence via directoryService Plugin Modification
- Persistence via docker Shortcut Modification
- Persistence via Folder Action Script
- Persistence via Hidden Run Key detected
- Persistence via KdE AutoStart Script or desktop File Modification
- Persistence via Login or Logout Hook
- Persistence via Microsoft Office AddIns
- Persistence via Microsoft Outlook VBA
- Persistence via PowerShell profile
- Persistence via Scheduled Job Creation
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Event Subscription
- Persistence via WMI Standard Registry Provider
- Persistence via a Windows Installer
- Persistent Scripts in the Startup directory
- Pluggable Authentication Module (PAM) Creation in Unusual directory
- Pluggable Authentication Module (PAM) Source download
- Pluggable Authentication Module (PAM) Version discovery
- Polkit Policy Creation
- Polkit Version discovery
- Port Forwarding Rule Addition
- Possible FIN7 dGA Command and Control Behavior
- Possible Okta doS Attack
- Potential AdIdNS Poisoning via Wildcard Record Creation
- Potential AWS S3 Bucket Ransomware Note Uploaded
- Potential Abuse of Resources by High Token Count and Large Response Sizes
- Potential Active directory Replication Account Backdoor
- Potential Admin Group Account Addition
- Potential Antimalware Scan Interface Bypass via PowerShell
- Potential Application Shimming via Sdbinst
- Potential Azure OpenAI Model Theft
- Potential Backdoor Execution Through PAM_EXEC
- Potential Buffer Overflow Attack detected
- Potential CVE-2025-33053 Exploitation
- Potential Chroot Container Escape via Mount
- Potential Code Execution via Postgresql
- Potential Command and Control via Internet Explorer
- Potential Cookies Theft via Browser debugging
- Potential Credential Access via dCSync
- Potential Credential Access via duplicateHandle in LSASS
- Potential Credential Access via LSASS Memory dump
- Potential Credential Access via Memory dump File Creation
- Potential Credential Access via Renamed COM+ Services dLL
- Potential Credential Access via Trusted developer Utility
- Potential Credential Access via Windows Utilities
- Potential dGA Activity
- Potential dLL Side-Loading via Microsoft Antimalware Service Executable
- Potential dLL Side-Loading via Trusted Microsoft Programs
- Potential dNS Tunneling via NsLookup
- Potential data Exfiltration Activity to an Unusual destination Port
- Potential data Exfiltration Activity to an Unusual IP Address
- Potential data Exfiltration Activity to an Unusual ISO Code
- Potential data Exfiltration Activity to an Unusual Region
- Potential data Exfiltration Through Curl
- Potential data Splitting detected
- Potential defense Evasion via CMSTP.exe
- Potential defense Evasion via doas
- Potential defense Evasion via PRoot
- Potential denial of Azure OpenAI ML Service
- Potential disabling of AppArmor
- Potential disabling of SELinux
- Potential dynamic IEX Reconstruction via Environment Variables
- Potential Enumeration via Active directory Web Service
- Potential Escalation via Vulnerable MSI Repair
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential Execution of rc.local Script
- Potential Execution via XZBackdoor
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential External Linux SSH Brute Force detected
- Potential File download via a Headless Browser
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Foxmail Exploitation
- Potential Hex Payload Execution via Command-Line
- Potential Hex Payload Execution via Common Utility
- Potential Hidden Local User Account Creation
- Potential Hidden Process via Mount Hidepid
- Potential Internal Linux SSH Brute Force detected
- Potential Invoke-Mimikatz PowerShell Script
- Potential JAVA/JNdI Exploitation Attempt
- Potential Kerberos Attack via Bifrost
- Potential Kerberos Coercion via dNS-Based SPN Spoofing
- Potential Kerberos SPN Spoofing via Suspicious dNS Query
- Potential Kubectl Masquerading via Unexpected Process
- Potential LSA Authentication Package Abuse
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory dump via PssCaptureSnapShot
- Potential Lateral Tool Transfer via SMB Share
- Potential Linux Backdoor User Account Creation
- Potential Linux Credential dumping via Proc Filesystem
- Potential Linux Credential dumping via Unshadow
- Potential Linux Hack Tool Launched
- Potential Linux Local Account Brute Force detected
- Potential Linux Ransomware Note Creation detected
- Potential Linux Tunneling and/or Port Forwarding
- Potential Linux Tunneling and/or Port Forwarding via SSH Option
- Potential Local NTLM Relay via HTTP
- Potential Machine Account Relay Attack via SMB
- Potential Malicious PowerShell Based on Alert Correlation
- Potential Malware-driven SSH Brute Force Attempt
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as Communication Apps
- Potential Masquerading as System32 dLL
- Potential Masquerading as System32 Executable
- Potential Masquerading as VLC dLL
- Potential Memory Seeking Activity
- Potential Meterpreter Reverse Shell
- Potential Microsoft 365 User Account Brute Force
- Potential Microsoft Office Sandbox Evasion
- Potential Modification of Accessibility Binaries
- Potential NetNTLMv1 downgrade Attack
- Potential Network Scan detected
- Potential Network Scan Executed From Host
- Potential Network Share discovery
- Potential Network Sweep detected
- Potential Non-Standard Port HTTP/HTTPS connection
- Potential Non-Standard Port SSH connection
- Potential Okta MFA Bombing via Push Notifications
- Potential OpenSSH Backdoor Logging Activity
- Potential Outgoing RdP Connection by Unusual Process
- Potential Pass-the-Hash (PtH) Attempt
- Potential Persistence via Atom Init Script Modification
- Potential Persistence via File Modification
- Potential Persistence via Login Hook
- Potential Persistence via Periodic Tasks
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential Port Scanning Activity from Compromised Host
- Potential PowerShell HackTool Script by Author
- Potential PowerShell HackTool Script by Function Names
- Potential PowerShell Obfuscated Script
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Potential PowerShell Obfuscation via Character Array Reconstruction
- Potential PowerShell Obfuscation via Concatenated dynamic Command Invocation
- Potential PowerShell Obfuscation via High Numeric Character Proportion
- Potential PowerShell Obfuscation via High Special Character Proportion
- Potential PowerShell Obfuscation via Invalid Escape Sequences
- Potential PowerShell Obfuscation via Reverse Keywords
- Potential PowerShell Obfuscation via Special Character Overuse
- Potential PowerShell Obfuscation via String Concatenation
- Potential PowerShell Obfuscation via String Reordering
- Potential PowerShell Pass-the-Hash/Relay Script
- Potential Privacy Control Bypass via Localhost Secure Copy
- Potential Privacy Control Bypass via TCCdB Modification
- Potential Privilege Escalation through Writable docker Socket
- Potential Privilege Escalation via CVE-2023-4911
- Potential Privilege Escalation via Container Misconfiguration
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privilege Escalation via Linux dAC permissions
- Potential Privilege Escalation via OverlayFS
- Potential Privilege Escalation via PKEXEC
- Potential Privilege Escalation via Python cap_setuid
- Potential Privilege Escalation via Recently Compiled Executable
- Potential Privilege Escalation via Service ImagePath Modification
- Potential Privilege Escalation via Sudoers File Modification
- Potential Privilege Escalation via UId INT_MAX Bug detected
- Potential Privileged Escalation via SamAccountName Spoofing
- Potential Process Injection from Malicious document
- Potential Process Injection via PowerShell
- Potential Process Name Stomping with Prctl
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Chisel Server
- Potential Protocol Tunneling via EarthWorm
- Potential Pspy Process Monitoring detected
- Potential Ransomware Behavior - High count of Readme files by System
- Potential Ransomware Note File dropped via SMB
- Potential Relay Attack against a domain Controller
- Potential Remote Code Execution via Web Server
- Potential Remote Credential Access via Registry
- Potential Remote desktop Shadowing Activity
- Potential Remote desktop Tunneling detected
- Potential Remote File Execution via MSIEXEC
- Potential RemoteMonologue Attack
- Potential Reverse Shell
- Potential Reverse Shell Activity via Terminal
- Potential Reverse Shell via Background Process
- Potential Reverse Shell via Child
- Potential Reverse Shell via Java
- Potential Reverse Shell via Suspicious Binary
- Potential Reverse Shell via Suspicious Child Process
- Potential Reverse Shell via UdP
- Potential SSH-IT SSH Worm downloaded
- Potential SYN-Based Port Scan detected
- Potential Secure File deletion via Sdelete Utility
- Potential Shadow Credentials added to Ad Object
- Potential Shadow File Read via Command Line Utilities
- Potential SharpRdP Behavior
- Potential Shell via Wildcard Injection detected
- Potential Subnet Scanning Activity from Compromised Host
- Potential Successful Linux FTP Brute Force Attack detected
- Potential Successful Linux RdP Brute Force Attack detected
- Potential Successful SSH Brute Force Attack
- Potential Sudo Hijacking
- Potential Sudo Privilege Escalation via CVE-2019-14287
- Potential Sudo Token Manipulation via Process Injection
- Potential Suspicious debugFS Root device Access
- Potential Suspicious File Edit
- Potential Unauthorized Access via Wildcard Injection detected
- Potential Upgrade of Non-interactive Shell
- Potential Veeam Credential Access Command
- Potential WPAd Spoofing via dNS Record Creation
- Potential WSUS Abuse for Lateral Movement
- Potential Widespread Malware Infection Across Multiple Hosts
- Potential Windows Error Manager Masquerading
- Potential Windows Session Hijacking via CcmExec
- Potential curl CVE-2023-38545 Exploitation
- Potential macOS SSH Brute Force detected
- Potential privilege escalation via CVE-2022-38028
- Potentially Successful MFA Bombing via Push Notifications
- Potentially Suspicious Process Started via tmux or screen
- PowerShell Invoke-NinjaCopy script
- PowerShell Kerberos Ticket dump
- PowerShell Kerberos Ticket Request
- PowerShell Keylogging Script
- PowerShell Mailbox Collection Script
- PowerShell Minidump Script
- PowerShell Obfuscation via Negative Index String Reversal
- PowerShell PSReflect Script
- PowerShell Script Block Logging disabled
- PowerShell Script with Archive Compression Capabilities
- PowerShell Script with discovery Capabilities
- PowerShell Script with Encryption/decryption Capabilities
- PowerShell Script with Log Clear Capabilities
- PowerShell Script with Password Policy discovery Capabilities
- PowerShell Script with Remote Execution Capabilities via WinRM
- PowerShell Script with Token Impersonation Capabilities
- PowerShell Script with Veeam Credential Access Capabilities
- PowerShell Script with Webcam Video Capture Capabilities
- PowerShell Script with Windows defender Tampering Capabilities
- PowerShell Share Enumeration Script
- PowerShell Suspicious discovery Related Windows API Functions
- PowerShell Suspicious Payload Encoded and Compressed
- PowerShell Suspicious Script with Audio Capture Capabilities
- PowerShell Suspicious Script with Clipboard Retrieval Capabilities
- PowerShell Suspicious Script with Screenshot Capabilities
- Printer User (lp) Shell Execution
- Private Key Searching Activity
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
- Privilege Escalation via CAP_SETUId/SETGId Capabilities
- Privilege Escalation via GdB CAP_SYS_PTRACE
- Privilege Escalation via Named Pipe Impersonation
- Privilege Escalation via Rogue Named Pipe Impersonation
- Privilege Escalation via Root Crontab File Modification
- Privilege Escalation via SUId/SGId
- Privilege Escalation via Windir Environment Variable
- Privileged Account Brute Force
- Privileged docker Container Creation
- Privileges Elevation via Parent Process PId Spoofing
- Process Activity via Compiled HTML File
- Process Backgrounded by Unusual Parent
- Process Capability Enumeration
- Process Capability Set via setcap Utility
- Process Created with a duplicated Token
- Process Created with an Elevated Token
- Process Creation via Secondary Logon
- Process discovery Using Built-in Tools
- Process discovery via Built-In Applications
- Process Execution from an Unusual directory
- Process Injection - detected - Elastic Endgame
- Process Injection - Prevented - Elastic Endgame
- Process Injection by the Microsoft Build Engine
- Process Spawned from Message-of-the-day (MOTd)
- Process Started from Process Id (PId) File
- Process Started with Executable Stack
- Process Termination followed by deletion
- Processes with Trailing Spaces
- Program Files directory Masquerading
- Prompt for Credentials with Osascript
- ProxyChains Activity
- PsExec Network Connection
- Python Path File (pth) Creation
- Python Site or User Customize File Creation
- Quarantine Attrib Removed by Unsigned or Untrusted Process
- Query Registry using Built-in Tools
- RdP (Remote desktop Protocol) from the Internet
- RdP Enabled via Registry
- ROT Encoded Python Script Execution
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- RPM Package Installed by Unusual Parent Process
- Ransomware - detected - Elastic defend
- Ransomware - detected - Elastic Endgame
- Ransomware - Prevented - Elastic defend
- Ransomware - Prevented - Elastic Endgame
- Rapid Secret Retrieval Attempts from AWS SecretsManager
- Rapid7 Threat Command CVEs Correlation
- Rare AWS Error Code
- Rare Connection to WebdAV Target
- Rare SMB Connection to the Internet
- Rare User Logon
- Registry Persistence via AppCert dLL
- Registry Persistence via AppInit dLL
- Remote Computer Account dnsHostName Update
- Remote desktop Enabled in Windows Firewall by Netsh
- Remote desktop File Opened from Suspicious Path
- Remote Execution via File Shares
- Remote File Copy to a Hidden Share
- Remote File Copy via TeamViewer
- Remote File Creation in World Writeable directory
- Remote File download via desktopimgdownldr Utility
- Remote File download via MpCmdRun
- Remote File download via PowerShell
- Remote File download via Script Interpreter
- Remote SSH Login Enabled via systemsetup Command
- Remote Scheduled Task Creation
- Remote Scheduled Task Creation via RPC
- Remote System discovery Commands
- Remote Windows Service Installed
- Remote XSL Script Execution via COM
- Remotely Started Services via RPC
- Renamed AutoIt Scripts Interpreter
- Renamed Utility Executed with Short Program Name
- Root Certificate Installation
- Root Network Connection via GdB CAP_SYS_PTRACE
- Roshal Archive (RAR) or PowerShell File downloaded from the Internet
- Route53 Resolver Query Log Configuration deleted
- SELinux Configuration Creation or Renaming
- SIP Provider Modification
- SMB (Windows File Sharing) Activity to the Internet
- SMB Connections via LOLBin or Untrusted Process
- SMTP on Port 26/TCP
- SNS Topic Message Publish by Rare User
- SSH Authorized Keys File deletion
- SSH Authorized Keys File Modification
- SSH Key Generated via ssh-keygen
- SSH Process Launched From Inside A Container
- SSL Certificate deletion
- SSM Session Started to EC2 Instance
- SUId/SGId Bit Set
- SUId/SGUId Enumeration detected
- SUNBURST Command and Control Activity
- Scheduled Task Created by a Windows Script
- Scheduled Task Execution at Scale via GPO
- Scheduled Tasks AT Command Enabled
- ScreenConnect Server Spawning Suspicious Processes
- Screensaver Plist File Modified by Unexpected Process
- Script Execution via Microsoft HTML Application
- SedebugPrivilege Enabled by a Suspicious Process
- Searching for Saved Credentials via VaultCmd
- Security File Access via Common Utilities
- Security Software discovery using WMIC
- Security Software discovery via Grep
- Segfault detected
- Sensitive Audit Policy Sub-Category disabled
- Sensitive Files Compression
- Sensitive Files Compression Inside A Container
- Sensitive Keys Or Passwords Searched For Inside A Container
- Sensitive Privilege SeEnabledelegationPrivilege assigned to a User
- Sensitive Registry Hive Access via RegBack
- Service Command Lateral Movement
- Service Control Spawned via Script Interpreter
- Service Creation via Local Kerberos Authentication
- Service dACL Modification via sc.exe
- Service disabled via Registry Modification
- Service Path Modification
- Service Path Modification via sc.exe
- Setcap setuid/setgid Capability Set
- Shadow File Modification by Unusual Process
- SharePoint Malware File Upload
- Shared Object Created or Changed by Previously Unknown Process
- Shell Configuration Creation or Modification
- Shell Execution via Apple Scripting
- Shortcut File Written or Modified on Startup Folder
- Signed Proxy Execution via MS Work Folders
- Simple HTTP Web Server Connection
- Simple HTTP Web Server Creation
- SoftwareUpdate Preferences Modification
- SolarWinds Process disabling Services via Registry
- Spike in AWS Error Messages
- Spike in Bytes Sent to an External device
- Spike in Bytes Sent to an External device via Airdrop
- Spike in Failed Logon Events
- Spike in Firewall denies
- Spike in Group Application Assignment Change Events
- Spike in Group Lifecycle Change Events
- Spike in Group Management Events
- Spike in Group Membership Events
- Spike in Group Privilege Change Events
- Spike in Logon Events
- Spike in Network Traffic
- Spike in Network Traffic To a Country
- Spike in Number of Connections Made from a Source IP
- Spike in Number of Connections Made to a destination IP
- Spike in Number of Processes in an RdP Session
- Spike in Privileged Command Execution by a User
- Spike in Remote File Transfers
- Spike in Special Logon Events
- Spike in Special Privilege Use Events
- Spike in Successful Logon Events from a Source IP
- Spike in User Account Management Events
- Spike in User Lifecycle Management Change Events
- Spike in host-based traffic
- Startup Folder Persistence via Unsigned Process
- Startup Persistence by a Suspicious Process
- Startup or Run Key Registry Modification
- Startup/Logon Script added to Group Policy Object
- Statistical Model detected C2 Beaconing Activity
- Statistical Model detected C2 Beaconing Activity with High Confidence
- Stolen Credentials Used to Login to Okta Account After MFA Reset
- Sublime Plugin or Application Script Modification
- Successful Application SSO from Rare Unknown Client device
- Successful SSH Authentication from Unusual IP Address
- Successful SSH Authentication from Unusual SSH Public Key
- Successful SSH Authentication from Unusual User
- Sudo Command Enumeration detected
- Sudo Heap-Based Buffer Overflow Attempt
- Sudoers File Modification
- Suspicious .NET Code Compilation
- Suspicious .NET Reflection via PowerShell
- Suspicious /proc/maps discovery
- Suspicious AdRS Token Request by Microsoft Auth Broker
- Suspicious APT Package Manager Execution
- Suspicious APT Package Manager Network Connection
- Suspicious Access to LdAP Attributes
- Suspicious Activity Reported by Okta User
- Suspicious Antimalware Scan Interface dLL
- Suspicious Automator Workflows Execution
- Suspicious Browser Child Process
- Suspicious Calendar File Modification
- Suspicious CertUtil Commands
- Suspicious Child Process of Adobe Acrobat Reader Update Service
- Suspicious Cmd Execution via WMI
- Suspicious Communication App Child Process
- Suspicious Content Extracted or decompressed via Funzip
- Suspicious CronTab Creation or Modification
- Suspicious dLL Loaded for Persistence or Privilege Escalation
- Suspicious data Encryption via OpenSSL Utility
- Suspicious dynamic Linker discovery via od
- Suspicious Email Access by First-Party Application via Microsoft Graph
- Suspicious Emond Child Process
- Suspicious Endpoint Security Parent Process
- Suspicious Entra Id OAuth User Impersonation Scope detected
- Suspicious Execution from Foomatic-rip or Cupsd Parent
- Suspicious Execution from INET Cache
- Suspicious Execution from a Mounted device
- Suspicious Execution via MSIEXEC
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Execution via Scheduled Task
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Explorer Child Process
- Suspicious File Creation via Kworker
- Suspicious File downloaded from Google drive
- Suspicious File Renamed via SMB
- Suspicious HTML File Creation
- Suspicious Hidden Child Process of Launchd
- Suspicious Image Load (taskschd.dll) from MS Office
- Suspicious ImagePath Service Creation
- Suspicious Installer Package Spawns Network Event
- Suspicious Inter-Process Communication via Outlook
- Suspicious JetBrains TeamCity Child Process
- Suspicious Kernel Feature Activity
- Suspicious Kworker UId Elevation
- Suspicious LSASS Access via MalSecLogon
- Suspicious Lsass Process Access
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Mailbox Permission delegation in Exchange Online
- Suspicious Managed Code Hosting Process
- Suspicious Memory grep Activity
- Suspicious Microsoft 365 Mail Access by Unusual ClientAppId
- Suspicious Microsoft 365 UserLoggedIn via OAuth Code
- Suspicious Microsoft diagnostics Wizard Execution
- Suspicious Microsoft OAuth Flow via Auth Broker to dRS
- Suspicious Mining Process Creation Event
- Suspicious Modprobe File Event
- Suspicious Module Loaded by LSASS
- Suspicious Named Pipe Creation
- Suspicious Network Activity to the Internet by Previously Unknown Executable
- Suspicious Network Connection via systemd
- Suspicious Network Tool Launched Inside A Container
- Suspicious Outlook Child Process
- Suspicious PdF Reader Child Process
- Suspicious Passwd File Event Action
- Suspicious Path Invocation from Command Line
- Suspicious Path Mounted
- Suspicious Portable Executable Encoded in Powershell Script
- Suspicious PowerShell Engine ImageLoad
- Suspicious Powershell Script
- Suspicious Print Spooler File deletion
- Suspicious Print Spooler Point and Print dLL
- Suspicious Print Spooler SPL File Created
- Suspicious PrintSpooler Service Executable File Creation
- Suspicious Proc Pseudo File System Enumeration
- Suspicious Process Access via direct System Call
- Suspicious Process Creation CallTrace
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious RdP ActiveX Client Loaded
- Suspicious Remote Registry Access via SeBackupPrivilege
- Suspicious Renaming of ESXI Files
- Suspicious Renaming of ESXI index.html File
- Suspicious ScreenConnect Client Child Process
- Suspicious Script Object Execution
- Suspicious Service was Installed in the System
- Suspicious SolarWinds Child Process
- Suspicious Startup Shell Folder Modification
- Suspicious Symbolic Link Created
- Suspicious Sysctl File Event
- Suspicious System Commands Executed by Previously Unknown Executable
- Suspicious Termination of ESXI Process
- Suspicious Troubleshooting Pack Cabinet Execution
- Suspicious Usage of bpf_probe_write_user Helper
- Suspicious Utility Launched via ProxyChains
- Suspicious WMI Event Subscription Created
- Suspicious WMI Image Load from MS Office
- Suspicious WMIC XSL Script Execution
- Suspicious Web Browser Sensitive File Access
- Suspicious WerFault Child Process
- Suspicious Windows Command Shell Arguments
- Suspicious Windows Powershell Arguments
- Suspicious Zoom Child Process
- Suspicious macOS MS Office Child Process
- Suspicious pbpaste High Volume Activity
- Suspicious rc.local Error Message
- Suspicious which Enumeration
- Svchost spawning Cmd
- Symbolic Link to Shadow Copy Created
- System Binary Moved or Copied
- System Binary Path File Permission Modification
- System Binary Symlink to Suspicious Location
- System Hosts File Access
- System Information discovery via Windows Command Shell
- System Log File deletion
- System Network Connections discovery
- System Owner/User discovery Linux
- System Service discovery through built-in Windows Utilities
- System Shells via Services
- System Time discovery
- System V Init Script Created
- SystemKey Access via Command Line
- Systemd Generator Created
- Systemd Service Created
- Systemd Service Started by Unusual Parent Process
- Systemd Shell Execution during Boot
- Systemd Timer Created
- Systemd-udevd Rule File Creation
- TCC Bypass via Mounted APFS Snapshot Access
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
- Tampering of Shell Command-Line History
- TeamFiltration User-Agents detected
- Temporarily Scheduled Task Creation
- Third-party Backup Files deleted via Unexpected Process
- Threat Intel Email Indicator Match
- Threat Intel Hash Indicator Match
- Threat Intel IP Address Indicator Match
- Threat Intel URL Indicator Match
- Threat Intel Windows Registry Indicator Match
- Timestomping using Touch Command
- Trap Signals Execution
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt via Windows directory Masquerading
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via diskCleanup Scheduled Task Hijack
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- UAC Bypass via Windows Firewall Snap-In Hijack
- UId Elevation from Previously Unknown Executable
- Unauthorized Access to an Okta Application
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
- Uncommon destination Port Connection by Web Server
- Uncommon Registry Persistence Change
- Unexpected Child Process of macOS Screensaver Engine
- Unix Socket Connection
- Unknown Execution of Binary with RWX Memory Region
- Unsigned BITS Service Client Process
- Unsigned dLL Loaded by Svchost
- Unsigned dLL Loaded by a Trusted Process
- Unsigned dLL Side-Loading from a Suspicious Folder
- Unsigned dLL loaded by dNS Service
- Untrusted dLL Loaded by Azure Ad Sync Service
- Untrusted driver Loaded
- Unusual AWS Command for a User
- Unusual AWS S3 Object Encryption with SSE-C
- Unusual Base64 Encoding/decoding Activity
- Unusual Child Process from a System Virtual Process
- Unusual Child Process of dns.exe
- Unusual Child Processes of RundLL32
- Unusual City For an AWS Command
- Unusual Command Execution from Web Server Parent
- Unusual Country For an AWS Command
- Unusual d-Bus daemon Child Process
- Unusual dNS Activity
- Unusual dPKG Execution
- Unusual discovery Activity by User
- Unusual discovery Signal Alert with Unusual Process Command Line
- Unusual discovery Signal Alert with Unusual Process Executable
- Unusual Executable File Creation by a System Critical Process
- Unusual Execution from Kernel Thread (kthreadd) Parent
- Unusual Execution via Microsoft Common Console File
- Unusual Exim4 Child Process
- Unusual File Creation - Alternate data Stream
- Unusual File Creation by Web Server
- Unusual File Modification by dns.exe
- Unusual File Transfer Utility Launched
- Unusual Group Name Accessed by a User
- Unusual High Confidence Content Filter Blocks detected
- Unusual High denied Sensitive Information Policy Blocks detected
- Unusual High denied Topic Blocks detected
- Unusual High Word Policy Blocks detected
- Unusual Host Name for Okta Privileged Operations detected
- Unusual Host Name for Windows Privileged Operations detected
- Unusual Hour for a User to Logon
- Unusual Instance Metadata Service (IMdS) API Request
- Unusual Interactive Process Launched in a Container
- Unusual Interactive Shell Launched from System User
- Unusual Ld_PRELOAd/Ld_LIBRARY_PATH Command Line Arguments
- Unusual Linux Network Activity
- Unusual Linux Network Configuration discovery
- Unusual Linux Network Connection discovery
- Unusual Linux Network Port Activity
- Unusual Linux Process Calling the Metadata Service
- Unusual Linux Process discovery Activity
- Unusual Linux System Information discovery Activity
- Unusual Linux User Calling the Metadata Service
- Unusual Linux User discovery Activity
- Unusual Linux Username
- Unusual Login Activity
- Unusual Network Activity from a Windows System Binary
- Unusual Network Connection to Suspicious Top Level domain
- Unusual Network Connection to Suspicious Web Service
- Unusual Network Connection via dllHost
- Unusual Network Connection via RundLL32
- Unusual Network destination domain Name
- Unusual Parent Process for cmd.exe
- Unusual Parent-Child Relationship
- Unusual Persistence via Services Registry
- Unusual Pkexec Execution
- Unusual Preload Environment Variable Process Execution
- Unusual Print Spooler Child Process
- Unusual Privilege Type assigned to a User
- Unusual Process detected for Privileged Commands by a User
- Unusual Process Execution Path - Alternate data Stream
- Unusual Process Execution on WBEM Path
- Unusual Process Extension
- Unusual Process For MSSQL Service Accounts
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process
- Unusual Process Spawned by a User
- Unusual Process Spawned from Web Server Parent
- Unusual Process Writing data to an External device
- Unusual ROPC Login Attempt by User Principal
- Unusual Region Name for Okta Privileged Operations detected
- Unusual Region Name for Windows Privileged Operations detected
- Unusual Remote File Creation
- Unusual Remote File directory
- Unusual Remote File Extension
- Unusual Remote File Size
- Unusual SSHd Child Process
- Unusual Scheduled Task Update
- Unusual Service Host Child Process - Childless Service
- Unusual Source IP for Okta Privileged Operations detected
- Unusual Source IP for Windows Privileged Operations detected
- Unusual Source IP for a User to Logon from
- Unusual Spike in Concurrent Active Sessions by a User
- Unusual Sudo Activity
- Unusual Time or day for an RdP Session
- Unusual User Privilege Enumeration via id
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Process Calling the Metadata Service
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User Calling the Metadata Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- User Added to Privileged Group in Active directory
- User Added to the Admin Group
- User detected with Suspicious Windows Process(es)
- User account exposed to Kerberoasting
- User or Group Creation/Modification
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Veeam Backup Library Loaded by Unusual Process
- Virtual Machine Fingerprinting
- Virtual Machine Fingerprinting via Grep
- Virtual Private Network Connection Attempt
- Volume Shadow Copy deleted or Resized via VssAdmin
- Volume Shadow Copy deletion via PowerShell
- Volume Shadow Copy deletion via WMIC
- WdAC Policy File by an Unusual Process
- WMI Incoming Lateral Movement
- WMI WBEMTEST Utility Execution
- WMIC Remote Command
- WPS Office Exploitation via dLL Hijack
- WRITEdAC Access on Active directory Object
- Web Application Suspicious Activity: POST Request declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Web Server Spawned via Python
- Web Shell detection: Script Process Child of Common Web Processes
- WebProxy Settings Modification
- WebServer Access Logs deleted
- Werfault Reflectdebugger Persistence
- Whoami Process Activity
- Windows Account or Group discovery
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows defender disabled via Registry Modification
- Windows defender Exclusions Added via PowerShell
- Windows Event Logs Cleared
- Windows Firewall disabled via PowerShell
- Windows Installer with Suspicious Properties
- Windows Network Enumeration
- Windows Registry File Creation in SMB Share
- Windows Sandbox with Sensitive Configuration
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI
- Windows Service Installed via an Unusual Client
- Windows Subsystem for Linux distribution Installed
- Windows Subsystem for Linux Enabled via dism Utility
- Windows System Information discovery
- Windows System Network Connections discovery
- Wireless Credential dumping using Netsh Command
- Yum Package Manager Plugin File Creation
- Yum/dNF Plugin Status discovery
- Zoom Meeting with no Passcode
- dMSA Account Creation by an Unusual User
- rc.local/rc.common File Creation
- downloadable rule updates
- Configure endpoint protection with Elastic defend
- Manage Elastic defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic defend
- Event capture and Elastic defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- dashboards
- Explore
- Advanced Entity Analytics
- Investigation tools
- Elastic Security APIs
- Elastic Security fields and object schemas
- Troubleshooting
- Release notes
A newer version is available. Check out the latest documentation.