Elastic Security Detection Rules

Elastic Security Detection Rules

Elastic Security detection rules help users to set up and get their detections and security monitoring going as soon as possible. Elastic is committed to transparency and openness(external, opens in a new tab or window) with the security community, which is why we build and maintain our detection logic publicly.

See our docs(external, opens in a new tab or window) for more information on how to enable these detection rules in Elastic Security.

Domains

Rule Types

Operating Systems

Use Cases

Tactics

Data Sources

Threat Hunt Queries

Rule Languages

Multiple Alerts Involving a User

AWS EC2 EBS Snapshot Access Removed

Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score

Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score

Potential Execution via XZBackdoor

Uncommon Destination Port Connection by Web Server

Potential Network Scan Detected

Connection to Commonly Abused Web Services

Suspicious Communication App Child Process

Potential Masquerading as Business App Installer

Potential Masquerading as Communication Apps

Potential PowerShell Obfuscation via Invalid Escape Sequences

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

Potential PowerShell Obfuscation via Character Array Reconstruction

Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation

Potential PowerShell Obfuscation via High Numeric Character Proportion

Potential PowerShell Obfuscation via String Reordering

Potential PowerShell Obfuscation via High Special Character Proportion

Process Discovery Using Built-in Tools

System Service Discovery through built-in Windows Utilities

Bash Shell Profile Modification

AWS S3 Unauthenticated Bucket Access by Rare Source

First Time Seen AWS Secret Value Accessed in Secrets Manager

AWS Systems Manager SecureString Parameter Request with Decryption Flag

AWS EC2 User Data Retrieval for EC2 Instance

AWS SNS Rare Protocol Subscription by User

Unusual AWS S3 Object Encryption with SSE-C

AWS IAM API Calls via Temporary Session Tokens

AWS IAM Customer-Managed Policy Attached to Role by Rare User

AWS IAM Assume Role Policy Update

AWS STS Role Assumption by Service

AWS STS Role Assumption by User

Shared Object Created or Changed by Previously Unknown Process

Web Shell Detection: Script Process Child of Common Web Processes

Elastic Defend and Email Alerts Correlation

Alerts From Multiple Integrations by Destination Address

Alerts From Multiple Integrations by Source Address

Alerts From Multiple Integrations by User Name

AWS Service Quotas Multi-Region GetServiceQuota Requests

AWS CLI with Kali Linux Fingerprint Identified

Entra ID OAuth user_impersonation Scope for Unusual User and Client

Entra ID User Sign-in with Unusual Client

Entra ID OAuth PRT Issuance to Non-Managed Device Detected

Entra ID User Sign-in with Unusual Non-Managed Device

AWS Config Resource Deletion

AWS Configuration Recorder Stopped

AWS SQS Queue Purge

AWS EventBridge Rule Disabled or Deleted

Potential Linux Tunneling and/or Port Forwarding

Potential Linux Tunneling and/or Port Forwarding via Command Line

Security File Access via Common Utilities

Network Connection via Sudo Binary

Renamed Utility Executed with Short Program Name

Suspicious Kerberos Authentication Ticket Request

Hosts File Modified

AWS Lambda Layer Added to Existing Function

AWS Lambda Function Policy Updated to Allow Public Invocation

Linux Restricted Shell Breakout via Linux Binary(s)

Unusual Web Server Command Execution

Privileged Account Brute Force

Multiple Logon Failure from the same Source Address

Potential Computer Account NTLM Relay Activity

LSASS Process Access via Windows API

Command Execution via ForFiles

Deprecated - Process Termination followed by Deletion

Remote File Copy to a Hidden Share

Suspicious Service was Installed in the System

Suspicious Execution via Scheduled Task

Suricata and Elastic Defend Network Correlation

Agent Spoofing - Multiple Hosts Using Same Agent

M365 or Entra ID Identity Sign-in from a Suspicious Source

Suspicious React Server Child Process

AWS Route 53 Resolver Query Log Configuration Deleted

AWS Route 53 Domain Transfer Lock Disabled

AWS Route 53 Domain Transferred to Another Account

AWS Route 53 Private Hosted Zone Associated With a VPC

Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client

Microsoft Graph Request Email Access by Unusual User and Client

Entra ID OAuth Device Code Flow with Concurrent Sign-ins

Entra ID User Sign-in Brute Force Attempted

Entra ID Excessive Account Lockouts Detected

Entra ID Sign-in Brute Force Attempted (Microsoft 365)

Entra ID Concurrent Sign-in with Suspicious Properties

Entra ID MFA TOTP Brute Force Attempted

Azure Key Vault Excessive Secret or Key Retrieved

Azure Key Vault Unusual Secret Key Usage

Azure VNet Full Network Packet Capture Enabled

Azure Automation Runbook Deleted

Azure Event Hub Deleted

Azure Diagnostic Settings Deleted

Azure Kubernetes Services (AKS) Kubernetes Events Deleted

Azure VNet Firewall Policy Deleted

Azure VNet Firewall Front Door WAF Policy Deleted

Azure VNet Network Watcher Deleted

Azure Diagnostic Settings Alert Suppression Rule Created or Modified

Azure Blob Storage Permissions Modified

Entra ID Sign-in BloodHound Suite User-Agent Detected

Entra ID Sign-in TeamFiltration User-Agent Detected

Azure Blob Storage Container Access Level Modified

Azure Automation Runbook Created or Modified

Showing up to 100 rules. Use the options at the top of the page to further fine the 1726 rules matching your current search settings.