Elastic Security Detection Rules

Elastic Security Detection Rules

Elastic Security detection rules help users to set up and get their detections and security monitoring going as soon as possible. Elastic is committed to transparency and openness(opens in a new tab or window) with the security community, which is why we build and maintain our detection logic publicly.

See our docs(opens in a new tab or window) for more information on how to enable these detection rules in Elastic Security.

Domains

Filter by 6 Domains

Rule Types

Filter by 4 Rule Types

Operating Systems

Filter by 3 Operating Systems

Use Cases

Filter by 19 Use Cases

Tactics

Filter by 14 Tactics

Data Sources

Filter by 56 Data Sources

AWS SSM `SendCommand` with Run Shell Command Parameters

AWS CloudTrail Log Deleted

AWS EC2 Multi-Region DescribeInstances API Calls

AWS Discovery API Calls via CLI from a Single Resource

AWS STS GetCallerIdentity API Called for the First Time

First Time AWS Cloudformation Stack Creation by User

AWS SSM Command Document Created by Rare User

AWS SNS Email Subscription by Rare User

AWS S3 Bucket Enumeration or Brute Force

AWS EC2 Security Group Configuration Change

AWS IAM Create User via Assumed Role on EC2 Instance

AWS IAM User Created Access Keys For Another User

AWS IAM AdministratorAccess Policy Attached to User

AWS IAM Customer-Managed Policy Attached to Role by Rare User

AWS STS Role Assumption by Service

AWS STS Role Assumption by User

AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User

AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

Statistical Model Detected C2 Beaconing Activity

Statistical Model Detected C2 Beaconing Activity with High Confidence

AWS SSM `SendCommand` Execution by Rare User

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Unusual High Confidence Misconduct Blocks Detected

Potential Abuse of Resources by High Token Count and Large Response Sizes

Curl SOCKS Proxy Activity from Unusual Parent

IPv4/IPv6 Forwarding Activity

Potential Hex Payload Execution

Unusual Interactive Shell Launched from System User

Directory Creation in /bin directory

Hidden Directory Creation via Unusual Parent

WebServer Access Logs Deleted

Hosts File Modified

AWS IAM Deactivation of MFA Device

AWS STS AssumeRole with New MFA Device

AWS STS Role Chaining

Potential Non-Standard Port SSH connection

Elastic Agent Service Terminated

Masquerading Space After Filename

Security Software Discovery via Grep

Deprecated - Suspicious JAVA Child Process

Access Control List Modification via setfacl

Hidden Files and Directories via Hidden Flag

Potential Linux Local Account Brute Force Detected

Unusual Instance Metadata Service (IMDS) API Request

System Binary Moved or Copied

File made Immutable by Chattr

Dynamic Linker Creation or Modification

File Permission Modification in Writable Directory

Creation of Hidden Files and Directories via CommandLine

Potential Hidden Process via Mount Hidepid

First Occurrence of Entra ID Auth via DeviceCode Protocol

Potential Widespread Malware Infection Across Multiple Hosts

AWS Service Quotas Multi-Region `GetServiceQuota` Requests

Potential AWS S3 Bucket Ransomware Note Uploaded

AWS S3 Object Encryption Using External KMS Key

AWS Signin Single Factor Console Login with Federated User

AWS IAM AdministratorAccess Policy Attached to Group

AWS IAM AdministratorAccess Policy Attached to Role

Azure Entra Sign-in Brute Force against Microsoft 365 Accounts

Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Attempts to Brute Force a Microsoft 365 User Account

AWS EC2 EBS Snapshot Shared with Another Account

Active Directory Forced Authentication from Linux Host - SMB Named Pipes

Microsoft 365 Portal Logins from Impossible Travel Locations

Tampering of Shell Command-Line History

Potential Reverse Shell Activity via Terminal

Potential Privilege Escalation via Sudoers File Modification

SUID/SGID Bit Set

Sudoers File Modification

Potential Persistence via File Modification

Google Drive Ownership Transferred via Google Workspace

Google Workspace Custom Gmail Route Created or Modified

Google Workspace Drive Encryption Key(s) Accessed from Anonymous User

Application Removed from Blocklist in Google Workspace

Domain Added to Google Workspace Trusted Domains

Google Workspace Bitlocker Setting Disabled

First Time Seen Google Workspace OAuth Login from Third-Party Application

Google Workspace Restrictions for Marketplace Modified to Allow Any App

Forwarded Google Workspace Security Alert

Google Workspace Admin Role Deletion

Google Workspace MFA Enforcement Disabled

External User Added to Google Workspace Group

Google Workspace Suspended User Account Renewed

Google Workspace Object Copied to External Drive with App Consent

Application Added to Google Workspace Domain

Google Workspace 2SV Policy Disabled

Google Workspace Admin Role Assigned to a User

Google Workspace API Access Granted via Domain-Wide Delegation

Google Workspace Custom Admin Role Created

Google Workspace Password Policy Modified

Google Workspace Role Modified

Google Workspace User Organizational Unit Changed

MFA Disabled for Google Workspace Organization

Attempt to Disable IPTables or Firewall

Attempt to Disable Syslog Service

System Log File Deletion

ROT Encoded Python Script Execution

Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

Microsoft 365 Impossible travel activity

Showing up to 100 rules. Use the options at the top of the page to further fine the 1259 rules matching your current search settings.