Elastic Security Detection Rules

Elastic Security Detection Rules

Elastic Security detection rules help users to set up and get their detections and security monitoring going as soon as possible. Elastic is committed to transparency and openness(opens in a new tab or window) with the security community, which is why we build and maintain our detection logic publicly.

See our docs(opens in a new tab or window) for more information on how to enable these detection rules in Elastic Security.

Domains

Filter by 6 Domains

Rule Types

Filter by 4 Rule Types

Operating Systems

Filter by 3 Operating Systems

Use Cases

Filter by 19 Use Cases

Tactics

Filter by 14 Tactics

Data Sources

Filter by 54 Data Sources

AWS STS GetCallerIdentity API Called for the First Time

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

Network Connection by Cups or Foomatic-rip Child

File Creation by Cups or Foomatic-rip Child

Printer User (lp) Shell Execution

Cupsd or Foomatic-rip Shell Execution

Suspicious Execution from Foomatic-rip or Cupsd Parent

Tampering of Shell Command-Line History

Potential Reverse Shell Activity via Terminal

Potential Privilege Escalation via Sudoers File Modification

SUID/SGID Bit Set

Sudoers File Modification

Potential Persistence via File Modification

Google Drive Ownership Transferred via Google Workspace

Google Workspace Custom Gmail Route Created or Modified

Google Workspace Drive Encryption Key(s) Accessed from Anonymous User

Application Removed from Blocklist in Google Workspace

Domain Added to Google Workspace Trusted Domains

Google Workspace Bitlocker Setting Disabled

First Time Seen Google Workspace OAuth Login from Third-Party Application

Google Workspace Restrictions for Marketplace Modified to Allow Any App

Forwarded Google Workspace Security Alert

Google Workspace Admin Role Deletion

Google Workspace MFA Enforcement Disabled

External User Added to Google Workspace Group

Google Workspace Suspended User Account Renewed

Google Workspace Object Copied to External Drive with App Consent

Application Added to Google Workspace Domain

Google Workspace 2SV Policy Disabled

Google Workspace Admin Role Assigned to a User

Google Workspace API Access Granted via Domain-Wide Delegation

Google Workspace Custom Admin Role Created

Google Workspace Password Policy Modified

Google Workspace Role Modified

Google Workspace User Organizational Unit Changed

MFA Disabled for Google Workspace Organization

Attempted Bypass of Okta MFA

Attempts to Brute Force an Okta User Account

Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

Multiple Device Token Hashes for Single Okta Session

Multiple Okta User Authentication Events with Client Address

Multiple Okta User Authentication Events with Same Device Token Hash

Okta Brute Force or Password Spraying Attack

Potential Okta MFA Bombing via Push Notifications

High Number of Okta Device Token Cookies Generated for Authentication

Potentially Successful MFA Bombing via Push Notifications

Okta User Session Impersonation

Attempt to Deactivate an Okta Network Zone

Attempt to Delete an Okta Network Zone

Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials

Attempt to Deactivate an Okta Policy

Attempt to Deactivate an Okta Policy Rule

Attempt to Delete an Okta Policy

Attempt to Delete an Okta Policy Rule

Attempt to Modify an Okta Network Zone

Attempt to Modify an Okta Policy

Attempt to Modify an Okta Policy Rule

High Number of Okta User Password Reset or Unlock Attempts

Attempt to Revoke Okta API Token

Attempt to Deactivate an Okta Application

Attempt to Delete an Okta Application

Attempt to Modify an Okta Application

Possible Okta DoS Attack

First Occurrence of Okta User Session Started via Proxy

New Okta Authentication Behavior Detected

Okta FastPass Phishing Detection

Unauthorized Access to an Okta Application

Okta User Sessions Started from Different Geolocations

Okta Sign-In Events via Third-Party IdP

Suspicious Activity Reported by Okta User

Multiple Okta Sessions Detected for a Single User

Okta ThreatInsight Threat Suspected Promotion

Administrator Privileges Assigned to an Okta Group

Administrator Role Assigned to an Okta User

Attempt to Create Okta API Token

Attempt to Reset MFA Factors for an Okta User Account

MFA Deactivation with no Re-Activation for Okta User Account

New Okta Identity Provider (IdP) Added by Admin

Modification or Removal of an Okta Application Sign-On Policy

Stolen Credentials Used to Login to Okta Account After MFA Reset

Attempt to Disable IPTables or Firewall

Attempt to Disable Syslog Service

System Binary Moved or Copied

System Log File Deletion

SUID/SGUID Enumeration Detected

Yum/DNF Plugin Status Discovery

Network Connection from Binary with RWX Memory Region

Linux Restricted Shell Breakout via Linux Binary(s)

Potential Meterpreter Reverse Shell

Potential Reverse Shell via UDP

Unknown Execution of Binary with RWX Memory Region

Suspicious APT Package Manager Execution

APT Package Manager Configuration File Creation

Suspicious APT Package Manager Network Connection

At Job Created or Modified

Cron Job Created or Modified

DNF Package Manager Plugin File Creation

Suspicious File Creation in /etc for Persistence

Git Hook Command Execution

Git Hook Created or Modified

Showing up to 100 rules. Use the options at the top of the page to further fine the 1237 rules matching your current search settings.