Elastic Security Detection Rules

Elastic Security Detection Rules

Elastic Security detection rules help users to set up and get their detections and security monitoring going as soon as possible. Elastic is committed to transparency and openness(opens in a new tab or window) with the security community, which is why we build and maintain our detection logic publicly.

See our docs(opens in a new tab or window) for more information on how to enable these detection rules in Elastic Security.

Domains

Filter by 6 Domains

Rule Types

Filter by 4 Rule Types

Operating Systems

Filter by 3 Operating Systems

Use Cases

Filter by 19 Use Cases

Tactics

Filter by 14 Tactics

Data Sources

Filter by 57 Data Sources

Threat Hunt Queries

Filter by 1 Threat Hunt Queries

Rule Languages

Filter by 4 Rule Languages

AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Suspicious Usage of bpf_probe_write_user Helper

IPv4/IPv6 Forwarding Activity

Potential Protocol Tunneling via Chisel Client

Network Activity Detected via Kworker

Suspicious Network Activity to the Internet by Previously Unknown Executable

Potential OpenSSH Backdoor Logging Activity

Unusual Instance Metadata Service (IMDS) API Request

Access Control List Modification via setfacl

Attempt to Disable Auditd Service

Attempt to Disable Syslog Service

System Binary Moved or Copied

Attempt to Clear Kernel Ring Buffer

Dynamic Linker Creation or Modification

File Permission Modification in Writable Directory

Hidden Directory Creation via Unusual Parent

Creation of Hidden Files and Directories via CommandLine

Creation of Hidden Shared Object File

Unusual Interactive Shell Launched from System User

Root Certificate Installation

SELinux Configuration Creation or Renaming

Enumeration of Kernel Modules

Pluggable Authentication Module (PAM) Version Discovery

Potential Pspy Process Monitoring Detected

Security File Access via Common Utilities

Unusual User Privilege Enumeration via id

Unusual Pkexec Execution

Polkit Policy Creation

AWS S3 Unauthenticated Bucket Access by Rare Source

AWS EC2 EBS Snapshot Shared or Made Public

Potential Persistence via File Modification

Kernel Seeking Activity

Kernel Unpacking Activity

Polkit Version Discovery

Process Started with Executable Stack

System Binary Path File Permission Modification

Suspicious Path Invocation from Command Line

D-Bus Service Created

Unusual D-Bus Daemon Child Process

Dracut Module Creation

Initramfs Extraction via CPIO

GRUB Configuration File Creation

GRUB Configuration Generation through Built-in Utilities

Manual Dracut Execution

NetworkManager Dispatcher Script Creation

OpenSSL Password Hash Generation

Executable Bit Set for Potential Persistence Script

Systemd Shell Execution During Boot

Initramfs Unpacking via unmkinitramfs

Potential ADIDNS Poisoning via Wildcard Record Creation

Potential WPAD Spoofing via DNS Record Creation

FirstTime Seen Account Performing DCSync

Potential Credential Access via DCSync

Potential Active Directory Replication Account Backdoor

Kerberos Pre-authentication Disabled for User

Creation of a DNS-Named Record

Access to a Sensitive LDAP Attribute

LSASS Memory Dump Handle Access

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Potential Shadow Credentials added to AD Object

User account exposed to Kerberoasting

Suspicious Remote Registry Access via SeBackupPrivilege

Sensitive Audit Policy Sub-Category Disabled

Suspicious Communication App Child Process

Potential PowerShell Obfuscated Script

File with Right-to-Left Override Character (RTLO) Created/Executed

Suspicious Access to LDAP Attributes

AdminSDHolder Backdoor

Account Configured with Never-Expiring Password

KRBTGT Delegation Backdoor

AdminSDHolder SDProp Exclusion Added

Modification of the msPKIAccountCredentials

Potential Non-Standard Port HTTP/HTTPS connection

Potential Antimalware Scan Interface Bypass via PowerShell

AWS EC2 Deprecated AMI Discovery

AWS STS GetCallerIdentity API Called for the First Time

AWS S3 Bucket Policy Added to Share with External Account

AWS IAM Create User via Assumed Role on EC2 Instance

AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

Unusual High Confidence Content Filter Blocks Detected

Potential Abuse of Resources by High Token Count and Large Response Sizes

AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User

Unusual High Denied Sensitive Information Policy Blocks Detected

Unusual High Denied Topic Blocks Detected

AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

Unusual High Word Policy Blocks Detected

Memory Threat - Detected - Elastic Defend

Behavior - Detected - Elastic Defend

Behavior - Prevented - Elastic Defend

Malicious File - Detected - Elastic Defend

Malicious File - Prevented - Elastic Defend

Ransomware - Detected - Elastic Defend

Ransomware - Prevented - Elastic Defend

Potentially Successful MFA Bombing via Push Notifications

Linux SSH X11 Forwarding

File Transfer or Listener Established via Netcat

Linux Restricted Shell Breakout via Linux Binary(s)

Linux User Added to Privileged Group

Showing up to 100 rules. Use the options at the top of the page to further fine the 1423 rules matching your current search settings.