text code block:host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( (process.name : ( bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) ) or ( process.executable : ( ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* )) ) and not ( process.executable : ( /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or /run/udev/data/* ) or process.name : ( go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or libvirt_leaseshelper or s6-ipcserver-socketbinder or xinetd or libvirtd or veeamdeploymentsvc or dnsmasq or virtlogd or lynis or veeamtransport or bash or dash or sh or touch or podman or chrome_crashpad_handler or snmpd or automount or chrome or yumBackend.py or rhsmcertd-worker or snapd or cp or dotnet or leapp or haproxy or multipathd or falcond or python* or atopacctd or postmaster or httpd or pulseaudio or iptables or atd or package-cleanup or local ) or file.name : ( jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or rhnsd.pid ) or file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid) )
Install detection rules in Elastic Security
Detect Abnormal Process ID or Lock File Created in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).