• Elastic Security: other versions:
  • Elastic Security overview
  • What’s new in 8.13
  • Upgrade Elastic Security to 8.13.4
    • Upgrade from 7.17 to an 8.x version
  • Post-upgrade steps (optional)
    • Migrate detection alerts enriched with threat intelligence
    • Index template script
    • Update a deprecated ServiceNow connector
  • Get started with Elastic Security
    • Elastic Security system requirements
      • Detections prerequisites and requirements
      • Cases prerequisites
      • Entity risk scoring prerequisites
      • Machine learning job and rule requirements
      • Elastic Defend feature privileges
      • Configure network map data
    • Elastic Endgame requirements
      • Enable Full Disk Access for the Elastic Endgame sensor on macOS Catalina though Monterey
      • Enable Full Disk Access for the Elastic Endgame sensor on macOS Ventura and higher
    • Spaces and Elastic Security
    • Data views in Elastic Security
    • Ingest data to Elastic Security
    • Install and configure the Elastic Defend integration
      • Prevent Elastic Agent uninstallation
      • Uninstall Elastic Agent
      • Uninstall Elastic Endpoint
    • Elastic Endpoint requirements
      • Install Elastic Endpoint manually on macOS Catalina through Monterey
      • Install Elastic Endpoint manually on macOS Ventura and higher
    • Configure offline endpoints and air-gapped environments
    • Configure an integration policy for Elastic Defend
      • Configure updates for protection artifacts
      • Turn off diagnostic data for Elastic Defend
      • Configure self-healing rollback for Windows endpoints
      • Configure Linux file system monitoring
      • Create an Elastic Defend policy using API
    • Enable threat intelligence integrations
    • Configure advanced settings
  • Elastic Security UI
  • AI Assistant
    • Triage alerts with Elastic AI Assistant
    • Large language model performance matrix
    • Connect to Azure OpenAI
    • Connect to OpenAI
    • Connect to Amazon Bedrock
  • Dashboards
    • Overview dashboard
    • Detection & Response dashboard
    • Kubernetes dashboard
    • Cloud Security Posture dashboard
    • Entity Analytics dashboard
    • Data Quality dashboard
    • Cloud Native Vulnerability Management Dashboard
    • Detection rule monitoring dashboard
  • Explore
    • Hosts page
    • Network page
    • Users page
  • Detections and alerts
    • About detection rules
    • Create a detection rule
      • Cross-cluster search and detection rules
      • Launch Timeline from investigation guides
    • Install and manage Elastic prebuilt rules
    • Manage detection rules
    • Monitor and troubleshoot rule executions
    • Rule exceptions
      • Create and manage value lists
      • Add and manage exceptions
      • Create and manage shared exception lists
    • About building block rules
    • MITRE ATT&CKĀ® coverage
    • Manage detection alerts
      • Visualize detection alerts
      • View detection alert details
      • Add detection alerts to cases
      • Suppress detection alerts
    • Reduce notifications and alerts
    • Visual event analyzer
    • Query alert indices
    • Tune detection rules
    • Prebuilt rule reference
      • A scheduled task was created
      • A scheduled task was updated
      • APT Package Manager Configuration File Creation
      • AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
      • AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
      • AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
      • AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
      • AWS CLI Command with Custom Endpoint URL
      • AWS CloudTrail Log Created
      • AWS CloudTrail Log Deleted
      • AWS CloudTrail Log Suspended
      • AWS CloudTrail Log Updated
      • AWS CloudWatch Alarm Deletion
      • AWS CloudWatch Log Group Deletion
      • AWS CloudWatch Log Stream Deletion
      • AWS Config Resource Deletion
      • AWS Configuration Recorder Stopped
      • AWS Credentials Searched For Inside A Container
      • AWS Deletion of RDS Instance or Cluster
      • AWS Discovery API Calls via CLI from a Single Resource
      • AWS EC2 Admin Credential Fetch via Assumed Role
      • AWS EC2 EBS Snapshot Shared with Another Account
      • AWS EC2 Encryption Disabled
      • AWS EC2 Full Network Packet Capture Detected
      • AWS EC2 Instance Connect SSH Public Key Uploaded
      • AWS EC2 Instance Console Login via Assumed Role
      • AWS EC2 Instance Interaction with IAM Service
      • AWS EC2 Multi-Region DescribeInstances API Calls
      • AWS EC2 Network Access Control List Creation
      • AWS EC2 Network Access Control List Deletion
      • AWS EC2 Security Group Configuration Change
      • AWS EC2 Snapshot Activity
      • AWS EC2 VM Export Failure
      • AWS EFS File System or Mount Deleted
      • AWS ElastiCache Security Group Created
      • AWS ElastiCache Security Group Modified or Deleted
      • AWS EventBridge Rule Disabled or Deleted
      • AWS GuardDuty Detector Deletion
      • AWS IAM AdministratorAccess Policy Attached to Group
      • AWS IAM AdministratorAccess Policy Attached to Role
      • AWS IAM AdministratorAccess Policy Attached to User
      • AWS IAM Assume Role Policy Update
      • AWS IAM Brute Force of Assume Role Policy
      • AWS IAM CompromisedKeyQuarantine Policy Attached to User
      • AWS IAM Create User via Assumed Role on EC2 Instance
      • AWS IAM Customer-Managed Policy Attached to Role by Rare User
      • AWS IAM Deactivation of MFA Device
      • AWS IAM Group Creation
      • AWS IAM Group Deletion
      • AWS IAM Login Profile Added to User
      • AWS IAM Password Recovery Requested
      • AWS IAM Roles Anywhere Profile Creation
      • AWS IAM Roles Anywhere Trust Anchor Created with External CA
      • AWS IAM SAML Provider Updated
      • AWS IAM User Addition to Group
      • AWS IAM User Created Access Keys For Another User
      • AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
      • AWS Lambda Function Created or Updated
      • AWS Lambda Function Policy Updated to Allow Public Invocation
      • AWS Lambda Layer Added to Existing Function
      • AWS Management Console Brute Force of Root User Identity
      • AWS Management Console Root Login
      • AWS RDS Cluster Creation
      • AWS RDS DB Instance Made Public
      • AWS RDS DB Instance Restored
      • AWS RDS DB Instance or Cluster Deletion Protection Disabled
      • AWS RDS DB Instance or Cluster Password Modified
      • AWS RDS DB Snapshot Created
      • AWS RDS DB Snapshot Shared with Another Account
      • AWS RDS Instance Creation
      • AWS RDS Instance/Cluster Stoppage
      • AWS RDS Security Group Creation
      • AWS RDS Security Group Deletion
      • AWS RDS Snapshot Deleted
      • AWS RDS Snapshot Export
      • AWS Redshift Cluster Creation
      • AWS Root Login Without MFA
      • AWS Route 53 Domain Transfer Lock Disabled
      • AWS Route 53 Domain Transferred to Another Account
      • AWS Route Table Created
      • AWS Route Table Modified or Deleted
      • AWS Route53 private hosted zone associated with a VPC
      • AWS S3 Bucket Configuration Deletion
      • AWS S3 Bucket Enumeration or Brute Force
      • AWS S3 Bucket Expiration Lifecycle Configuration Added
      • AWS S3 Bucket Policy Added to Share with External Account
      • AWS S3 Bucket Replicated to Another Account
      • AWS S3 Bucket Server Access Logging Disabled
      • AWS S3 Object Encryption Using External KMS Key
      • AWS S3 Object Versioning Suspended
      • AWS SNS Email Subscription by Rare User
      • AWS SSM Command Document Created by Rare User
      • AWS SSM SendCommand Execution by Rare User
      • AWS SSM SendCommand with Run Shell Command Parameters
      • AWS STS AssumeRole with New MFA Device
      • AWS STS AssumeRoot by Rare User and Member Account
      • AWS STS GetCallerIdentity API Called for the First Time
      • AWS STS GetSessionToken Abuse
      • AWS STS Role Assumption by Service
      • AWS STS Role Assumption by User
      • AWS STS Role Chaining
      • AWS Service Quotas Multi-Region GetServiceQuota Requests
      • AWS Signin Single Factor Console Login with Federated User
      • AWS Systems Manager SecureString Parameter Request with Decryption Flag
      • AWS VPC Flow Logs Deletion
      • AWS WAF Access Control List Deletion
      • AWS WAF Rule or Rule Group Deletion
      • Abnormal Process ID or Lock File Created
      • Abnormally Large DNS Response
      • Accepted Default Telnet Port Connection
      • Access Control List Modification via setfacl
      • Access to Keychain Credentials Directories
      • Access to a Sensitive LDAP Attribute
      • Accessing Outlook Data Files
      • Account Configured with Never-Expiring Password
      • Account Discovery Command via SYSTEM Account
      • Account Password Reset Remotely
      • Account or Group Discovery via Built-In Tools
      • Active Directory Forced Authentication from Linux Host - SMB Named Pipes
      • Active Directory Group Modification by SYSTEM
      • AdFind Command Activity
      • Adding Hidden File Attribute via Attrib
      • AdminSDHolder Backdoor
      • AdminSDHolder SDProp Exclusion Added
      • Administrator Privileges Assigned to an Okta Group
      • Administrator Role Assigned to an Okta User
      • Adobe Hijack Persistence
      • Adversary Behavior - Detected - Elastic Endgame
      • Agent Spoofing - Mismatched Agent ID
      • Agent Spoofing - Multiple Hosts Using Same Agent
      • Alternate Data Stream Creation/Execution at Volume Root Directory
      • Anomalous Linux Compiler Activity
      • Anomalous Process For a Linux Population
      • Anomalous Process For a Windows Population
      • Anomalous Windows Process Creation
      • Apple Script Execution followed by Network Connection
      • Apple Scripting Execution with Administrator Privileges
      • Application Added to Google Workspace Domain
      • Application Removed from Blocklist in Google Workspace
      • Archive File with Unusual Extension
      • At Job Created or Modified
      • At.exe Command Lateral Movement
      • Attempt to Clear Kernel Ring Buffer
      • Attempt to Create Okta API Token
      • Attempt to Deactivate an Okta Application
      • Attempt to Deactivate an Okta Network Zone
      • Attempt to Deactivate an Okta Policy
      • Attempt to Deactivate an Okta Policy Rule
      • Attempt to Delete an Okta Application
      • Attempt to Delete an Okta Network Zone
      • Attempt to Delete an Okta Policy
      • Attempt to Delete an Okta Policy Rule
      • Attempt to Disable Auditd Service
      • Attempt to Disable Gatekeeper
      • Attempt to Disable IPTables or Firewall
      • Attempt to Disable Syslog Service
      • Attempt to Enable the Root Account
      • Attempt to Establish VScode Remote Tunnel
      • Attempt to Install Kali Linux via WSL
      • Attempt to Install Root Certificate
      • Attempt to Modify an Okta Application
      • Attempt to Modify an Okta Network Zone
      • Attempt to Modify an Okta Policy
      • Attempt to Modify an Okta Policy Rule
      • Attempt to Mount SMB Share via Command Line
      • Attempt to Reset MFA Factors for an Okta User Account
      • Attempt to Retrieve User Data from AWS EC2 Instance
      • Attempt to Revoke Okta API Token
      • Attempt to Unload Elastic Endpoint Security Kernel Extension
      • Attempted Bypass of Okta MFA
      • Attempted Private Key Access
      • Attempts to Brute Force a Microsoft 365 User Account
      • Attempts to Brute Force an Okta User Account
      • Authentication via Unusual PAM Grantor
      • Authorization Plugin Modification
      • Azure AD Global Administrator Role Assigned
      • Azure Active Directory High Risk Sign-in
      • Azure Active Directory High Risk User Sign-in Heuristic
      • Azure Active Directory PowerShell Sign-in
      • Azure Alert Suppression Rule Created or Modified
      • Azure Application Credential Modification
      • Azure Automation Account Created
      • Azure Automation Runbook Created or Modified
      • Azure Automation Runbook Deleted
      • Azure Automation Webhook Created
      • Azure Blob Container Access Level Modification
      • Azure Blob Permissions Modification
      • Azure Command Execution on Virtual Machine
      • Azure Conditional Access Policy Modified
      • Azure Diagnostic Settings Deletion
      • Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
      • Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
      • Azure Event Hub Authorization Rule Created or Updated
      • Azure Event Hub Deletion
      • Azure External Guest User Invitation
      • Azure Firewall Policy Deletion
      • Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
      • Azure Full Network Packet Capture Detected
      • Azure Global Administrator Role Addition to PIM User
      • Azure Key Vault Modified
      • Azure Kubernetes Events Deleted
      • Azure Kubernetes Pods Deleted
      • Azure Kubernetes Rolebindings Created
      • Azure Network Watcher Deletion
      • Azure Privilege Identity Management Role Modified
      • Azure Resource Group Deletion
      • Azure Service Principal Addition
      • Azure Service Principal Credentials Added
      • Azure Storage Account Key Regenerated
      • Azure Virtual Network Device Modified or Deleted
      • BPF filter applied using TC
      • Base16 or Base32 Encoding/Decoding Activity
      • Bash Shell Profile Modification
      • Binary Content Copy via Cmd.exe
      • Binary Executed from Shared Memory Directory
      • Bitsadmin Activity
      • Browser Extension Install
      • Bypass UAC via Event Viewer
      • CAP_SYS_ADMIN Assigned to Binary
      • Chkconfig Service Add
      • Clearing Windows Console History
      • Clearing Windows Event Logs
      • Cobalt Strike Command and Control Beacon
      • Code Signing Policy Modification Through Built-in tools
      • Code Signing Policy Modification Through Registry
      • Command Execution via SolarWinds Process
      • Command Prompt Network Connection
      • Command Shell Activity Started via RunDLL32
      • Component Object Model Hijacking
      • Compression DLL Loaded by Unusual Process
      • Conhost Spawned By Suspicious Parent Process
      • Connection to Commonly Abused Free SSL Certificate Providers
      • Connection to Commonly Abused Web Services
      • Connection to External Network via Telnet
      • Connection to Internal Network via Telnet
      • Container Management Utility Run Inside A Container
      • Container Workload Protection
      • Control Panel Process with Unusual Arguments
      • Creation of Hidden Files and Directories via CommandLine
      • Creation of Hidden Launch Agent or Daemon
      • Creation of Hidden Login Item via Apple Script
      • Creation of Hidden Shared Object File
      • Creation of Kernel Module
      • Creation of SettingContent-ms Files
      • Creation of a DNS-Named Record
      • Creation of a Hidden Local User Account
      • Creation or Modification of Domain Backup DPAPI private key
      • Creation or Modification of Pluggable Authentication Module or Configuration
      • Creation or Modification of Root Certificate
      • Creation or Modification of a new GPO Scheduled Task or Service
      • Credential Acquisition via Registry Hive Dumping
      • Credential Dumping - Detected - Elastic Endgame
      • Credential Dumping - Prevented - Elastic Endgame
      • Credential Manipulation - Detected - Elastic Endgame
      • Credential Manipulation - Prevented - Elastic Endgame
      • Cron Job Created or Modified
      • Cupsd or Foomatic-rip Shell Execution
      • Curl SOCKS Proxy Activity from Unusual Parent
      • CyberArk Privileged Access Security Error
      • CyberArk Privileged Access Security Recommended Monitor
      • DNF Package Manager Plugin File Creation
      • DNS Global Query Block List Modified or Disabled
      • DNS Tunneling
      • DNS-over-HTTPS Enabled via Registry
      • DPKG Package Installed by Unusual Parent Process
      • Default Cobalt Strike Team Server Certificate
      • Delayed Execution via Ping
      • Delete Volume USN Journal with Fsutil
      • Deleting Backup Catalogs with Wbadmin
      • Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
      • Deprecated - Suspicious JAVA Child Process
      • Directory Creation in /bin directory
      • Disable Windows Event and Security Logs Using Built-in Tools
      • Disable Windows Firewall Rules via Netsh
      • Disabling User Account Control via Registry Modification
      • Disabling Windows Defender Security Settings via PowerShell
      • Discovery of Domain Groups
      • Discovery of Internet Capabilities via Built-in Tools
      • Docker Escape via Nsenter
      • Domain Added to Google Workspace Trusted Domains
      • Downloaded Shortcut Files
      • Downloaded URL Files
      • Dumping Account Hashes via Built-In Commands
      • Dumping of Keychain Content via Security Command
      • Dynamic Linker Copy
      • Dynamic Linker Creation or Modification
      • EC2 AMI Shared with Another Account
      • ESXI Discovery via Find
      • ESXI Discovery via Grep
      • ESXI Timestomping using Touch Command
      • EggShell Backdoor Execution
      • Egress Connection from Entrypoint in Container
      • Elastic Agent Service Terminated
      • Emond Rules Creation or Modification
      • Enable Host Network Discovery via Netsh
      • Encoded Executable Stored in the Registry
      • Encrypting Files with WinRar or 7z
      • Endpoint Security
      • Entra ID Device Code Auth with Broker Client
      • Enumerating Domain Trusts via DSQUERY.EXE
      • Enumerating Domain Trusts via NLTEST.EXE
      • Enumeration Command Spawned via WMIPrvSE
      • Enumeration of Administrator Accounts
      • Enumeration of Kernel Modules
      • Enumeration of Kernel Modules via Proc
      • Enumeration of Privileged Local Groups Membership
      • Enumeration of Users or Groups via Built-in Commands
      • Exchange Mailbox Export via PowerShell
      • Executable Bit Set for Potential Persistence Script
      • Executable File Creation with Multiple Extensions
      • Executable File with Unusual Extension
      • Executable Masquerading as Kernel Process
      • Execution from Unusual Directory - Command Line
      • Execution from a Removable Media with Network Connection
      • Execution of COM object via Xwizard
      • Execution of File Written or Modified by Microsoft Office
      • Execution of File Written or Modified by PDF Reader
      • Execution of Persistent Suspicious Program
      • Execution of an Unsigned Service
      • Execution via Electron Child Process Node.js Module
      • Execution via MS VisualStudio Pre/Post Build Events
      • Execution via MSSQL xp_cmdshell Stored Procedure
      • Execution via Microsoft DotNet ClickOnce Host
      • Execution via TSClient Mountpoint
      • Execution via Windows Command Debugging Utility
      • Execution via Windows Subsystem for Linux
      • Execution via local SxS Shared Module
      • Execution with Explicit Credentials via Scripting
      • Expired or Revoked Driver Loaded
      • Exploit - Detected - Elastic Endgame
      • Exploit - Prevented - Elastic Endgame
      • Exporting Exchange Mailbox via PowerShell
      • External Alerts
      • External IP Lookup from Non-Browser Process
      • External User Added to Google Workspace Group
      • File Compressed or Archived into Common Format
      • File Creation Time Changed
      • File Creation by Cups or Foomatic-rip Child
      • File Creation, Execution and Self-Deletion in Suspicious Directory
      • File Deletion via Shred
      • File Made Executable via Chmod Inside A Container
      • File Permission Modification in Writable Directory
      • File Staged in Root Folder of Recycle Bin
      • File System Debugger Launched Inside a Privileged Container
      • File Transfer or Listener Established via Netcat
      • File and Directory Permissions Modification
      • File made Immutable by Chattr
      • File or Directory Deletion Command
      • File with Suspicious Extension Downloaded
      • Finder Sync Plugin Registered and Enabled
      • First Occurrence GitHub Event for a Personal Access Token (PAT)
      • First Occurrence of Entra ID Auth via DeviceCode Protocol
      • First Occurrence of GitHub Repo Interaction From a New IP
      • First Occurrence of GitHub User Interaction with Private Repo
      • First Occurrence of IP Address For GitHub Personal Access Token (PAT)
      • First Occurrence of IP Address For GitHub User
      • First Occurrence of Okta User Session Started via Proxy
      • First Occurrence of Personal Access Token (PAT) Use For a GitHub User
      • First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
      • First Occurrence of STS GetFederationToken Request by User
      • First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
      • First Occurrence of User-Agent For a GitHub User
      • First Time AWS Cloudformation Stack Creation by User
      • First Time Seen AWS Secret Value Accessed in Secrets Manager
      • First Time Seen Commonly Abused Remote Access Tool Execution
      • First Time Seen Driver Loaded
      • First Time Seen Google Workspace OAuth Login from Third-Party Application
      • First Time Seen NewCredentials Logon Process
      • First Time Seen Removable Device
      • FirstTime Seen Account Performing DCSync
      • Forwarded Google Workspace Security Alert
      • Full User-Mode Dumps Enabled System-Wide
      • GCP Firewall Rule Creation
      • GCP Firewall Rule Deletion
      • GCP Firewall Rule Modification
      • GCP IAM Custom Role Creation
      • GCP IAM Role Deletion
      • GCP IAM Service Account Key Deletion
      • GCP Logging Bucket Deletion
      • GCP Logging Sink Deletion
      • GCP Logging Sink Modification
      • GCP Pub/Sub Subscription Creation
      • GCP Pub/Sub Subscription Deletion
      • GCP Pub/Sub Topic Creation
      • GCP Pub/Sub Topic Deletion
      • GCP Service Account Creation
      • GCP Service Account Deletion
      • GCP Service Account Disabled
      • GCP Service Account Key Creation
      • GCP Storage Bucket Configuration Modification
      • GCP Storage Bucket Deletion
      • GCP Storage Bucket Permissions Modification
      • GCP Virtual Private Cloud Network Deletion
      • GCP Virtual Private Cloud Route Creation
      • GCP Virtual Private Cloud Route Deletion
      • Git Hook Child Process
      • Git Hook Command Execution
      • Git Hook Created or Modified
      • Git Hook Egress Network Connection
      • GitHub App Deleted
      • GitHub Owner Role Granted To User
      • GitHub PAT Access Revoked
      • GitHub Protected Branch Settings Changed
      • GitHub Repo Created
      • GitHub Repository Deleted
      • GitHub UEBA - Multiple Alerts from a GitHub Account
      • GitHub User Blocked From Organization
      • Google Drive Ownership Transferred via Google Workspace
      • Google Workspace 2SV Policy Disabled
      • Google Workspace API Access Granted via Domain-Wide Delegation
      • Google Workspace Admin Role Assigned to a User
      • Google Workspace Admin Role Deletion
      • Google Workspace Bitlocker Setting Disabled
      • Google Workspace Custom Admin Role Created
      • Google Workspace Custom Gmail Route Created or Modified
      • Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
      • Google Workspace MFA Enforcement Disabled
      • Google Workspace Object Copied to External Drive with App Consent
      • Google Workspace Password Policy Modified
      • Google Workspace Restrictions for Marketplace Modified to Allow Any App
      • Google Workspace Role Modified
      • Google Workspace Suspended User Account Renewed
      • Google Workspace User Organizational Unit Changed
      • Group Policy Abuse for Privilege Addition
      • Group Policy Discovery via Microsoft GPResult Utility
      • Halfbaked Command and Control Beacon
      • Hidden Directory Creation via Unusual Parent
      • Hidden Files and Directories via Hidden Flag
      • High Mean of Process Arguments in an RDP Session
      • High Mean of RDP Session Duration
      • High Number of Cloned GitHub Repos From PAT
      • High Number of Okta Device Token Cookies Generated for Authentication
      • High Number of Okta User Password Reset or Unlock Attempts
      • High Number of Process Terminations
      • High Number of Process and/or Service Terminations
      • High Variance in RDP Session Duration
      • Host Files System Changes via Windows Subsystem for Linux
      • Hosts File Modified
      • Hping Process Activity
      • IIS HTTP Logging Disabled
      • IPSEC NAT Traversal Port Activity
      • IPv4/IPv6 Forwarding Activity
      • Image File Execution Options Injection
      • Image Loaded with Invalid Signature
      • ImageLoad via Windows Update Auto Update Client
      • Inbound Connection to an Unsecure Elasticsearch Node
      • Incoming DCOM Lateral Movement via MSHTA
      • Incoming DCOM Lateral Movement with MMC
      • Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
      • Incoming Execution via PowerShell Remoting
      • Incoming Execution via WinRM Remote Shell
      • Indirect Command Execution via Forfiles/Pcalua
      • Ingress Transfer via Windows BITS
      • Insecure AWS EC2 VPC Security Group Ingress Rule Added
      • InstallUtil Activity
      • InstallUtil Process Making Network Connections
      • Installation of Custom Shim Databases
      • Installation of Security Support Provider
      • Interactive Exec Command Launched Against A Running Container
      • Interactive Logon by an Unusual Process
      • Interactive Terminal Spawned via Perl
      • Interactive Terminal Spawned via Python
      • KRBTGT Delegation Backdoor
      • Kerberos Cached Credentials Dumping
      • Kerberos Pre-authentication Disabled for User
      • Kerberos Traffic from Unusual Process
      • Kernel Driver Load
      • Kernel Driver Load by non-root User
      • Kernel Load or Unload via Kexec Detected
      • Kernel Module Load via insmod
      • Kernel Module Removal
      • Keychain Password Retrieval via Command Line
      • Kirbi File Creation
      • Kubernetes Anonymous Request Authorized
      • Kubernetes Container Created with Excessive Linux Capabilities
      • Kubernetes Denied Service Account Request
      • Kubernetes Exposed Service Created With Type NodePort
      • Kubernetes Pod Created With HostIPC
      • Kubernetes Pod Created With HostNetwork
      • Kubernetes Pod Created With HostPID
      • Kubernetes Pod created with a Sensitive hostPath Volume
      • Kubernetes Privileged Pod Created
      • Kubernetes Suspicious Assignment of Controller Service Account
      • Kubernetes Suspicious Self-Subject Review
      • Kubernetes User Exec into Pod
      • LSASS Memory Dump Creation
      • LSASS Memory Dump Handle Access
      • LSASS Process Access via Windows API
      • Lateral Movement via Startup Folder
      • Launch Agent Creation or Modification and Immediate Loading
      • LaunchDaemon Creation or Modification and Immediate Loading
      • Linux Clipboard Activity Detected
      • Linux Group Creation
      • Linux Process Hooking via GDB
      • Linux Restricted Shell Breakout via Linux Binary(s)
      • Linux SSH X11 Forwarding
      • Linux System Information Discovery
      • Linux User Account Creation
      • Linux User Added to Privileged Group
      • Linux init (PID 1) Secret Dump via GDB
      • Local Account TokenFilter Policy Disabled
      • Local Scheduled Task Creation
      • MFA Deactivation with no Re-Activation for Okta User Account
      • MFA Disabled for Google Workspace Organization
      • MS Office Macro Security Registry Modifications
      • MacOS Installer Package Spawns Network Event
      • Machine Learning Detected DGA activity using a known SUNBURST DNS domain
      • Machine Learning Detected a DNS Request Predicted to be a DGA Domain
      • Machine Learning Detected a DNS Request With a High DGA Probability Score
      • Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
      • Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
      • Malware - Detected - Elastic Endgame
      • Malware - Prevented - Elastic Endgame
      • Masquerading Space After Filename
      • Member Removed From GitHub Organization
      • Memory Dump File with Unusual Extension
      • Memory Swap Modification
      • Message-of-the-Day (MOTD) File Creation
      • Microsoft 365 Exchange Anti-Phish Policy Deletion
      • Microsoft 365 Exchange Anti-Phish Rule Modification
      • Microsoft 365 Exchange DKIM Signing Configuration Disabled
      • Microsoft 365 Exchange DLP Policy Removed
      • Microsoft 365 Exchange Malware Filter Policy Deletion
      • Microsoft 365 Exchange Malware Filter Rule Modification
      • Microsoft 365 Exchange Management Group Role Assignment
      • Microsoft 365 Exchange Safe Attachment Rule Disabled
      • Microsoft 365 Exchange Safe Link Policy Disabled
      • Microsoft 365 Exchange Transport Rule Creation
      • Microsoft 365 Exchange Transport Rule Modification
      • Microsoft 365 Global Administrator Role Assigned
      • Microsoft 365 Inbox Forwarding Rule Created
      • Microsoft 365 Portal Login from Rare Location
      • Microsoft 365 Portal Logins from Impossible Travel Locations
      • Microsoft 365 Potential ransomware activity
      • Microsoft 365 Teams Custom Application Interaction Allowed
      • Microsoft 365 Teams External Access Enabled
      • Microsoft 365 Teams Guest Access Enabled
      • Microsoft 365 Unusual Volume of File Deletion
      • Microsoft 365 User Restricted from Sending Email
      • Microsoft Build Engine Started an Unusual Process
      • Microsoft Build Engine Started by a Script Process
      • Microsoft Build Engine Started by a System Process
      • Microsoft Build Engine Started by an Office Application
      • Microsoft Build Engine Using an Alternate Name
      • Microsoft Exchange Server UM Spawning Suspicious Processes
      • Microsoft Exchange Server UM Writing Suspicious Files
      • Microsoft Exchange Transport Agent Install Script
      • Microsoft Exchange Worker Spawning Suspicious Processes
      • Microsoft IIS Connection Strings Decryption
      • Microsoft IIS Service Account Password Dumped
      • Microsoft Management Console File from Unusual Path
      • Microsoft Windows Defender Tampering
      • Mimikatz Memssp Log File Detected
      • Modification of AmsiEnable Registry Key
      • Modification of Boot Configuration
      • Modification of Dynamic Linker Preload Shared Object
      • Modification of Dynamic Linker Preload Shared Object Inside A Container
      • Modification of Environment Variable via Unsigned or Untrusted Parent
      • Modification of OpenSSH Binaries
      • Modification of Safari Settings via Defaults Command
      • Modification of Standard Authentication Module or Configuration
      • Modification of WDigest Security Provider
      • Modification of the msPKIAccountCredentials
      • Modification or Removal of an Okta Application Sign-On Policy
      • Mofcomp Activity
      • Mount Launched Inside a Privileged Container
      • Mounting Hidden or WebDav Remote Shares
      • MsBuild Making Network Connections
      • Mshta Making Network Connections
      • MsiExec Service Child Process With Network Connection
      • Multi-Factor Authentication Disabled for an Azure User
      • Multiple Alerts Involving a User
      • Multiple Alerts in Different ATT&CK Tactics on a Single Host
      • Multiple Device Token Hashes for Single Okta Session
      • Multiple Logon Failure Followed by Logon Success
      • Multiple Logon Failure from the same Source Address
      • Multiple Okta Sessions Detected for a Single User
      • Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
      • Multiple Okta User Authentication Events with Client Address
      • Multiple Okta User Authentication Events with Same Device Token Hash
      • Multiple Vault Web Credentials Read
      • My First Rule
      • NTDS Dump via Wbadmin
      • NTDS or SAM Database File Copied
      • Namespace Manipulation Using Unshare
      • Netcat Listener Established Inside A Container
      • Netcat Listener Established via rlwrap
      • Netsh Helper DLL
      • Network Activity Detected via Kworker
      • Network Activity Detected via cat
      • Network Connection Initiated by SSHD Child Process
      • Network Connection by Cups or Foomatic-rip Child
      • Network Connection from Binary with RWX Memory Region
      • Network Connection via Certutil
      • Network Connection via Compiled HTML File
      • Network Connection via MsXsl
      • Network Connection via Recently Compiled Executable
      • Network Connection via Registration Utility
      • Network Connection via Signed Binary
      • Network Connection via Sudo Binary
      • Network Connections Initiated Through XDG Autostart Entry
      • Network Logon Provider Registry Modification
      • Network Traffic Capture via CAP_NET_RAW
      • Network Traffic to Rare Destination Country
      • Network-Level Authentication (NLA) Disabled
      • New ActiveSyncAllowedDeviceID Added via PowerShell
      • New GitHub App Installed
      • New GitHub Owner Added
      • New Okta Authentication Behavior Detected
      • New Okta Identity Provider (IdP) Added by Admin
      • New User Added To GitHub Organization
      • New or Modified Federation Domain
      • Nping Process Activity
      • NullSessionPipe Registry Modification
      • O365 Email Reported by User as Malware or Phish
      • O365 Excessive Single Sign-On Logon Errors
      • O365 Exchange Suspicious Mailbox Right Delegation
      • O365 Mailbox Audit Logging Bypass
      • Office Test Registry Persistence
      • Okta Brute Force or Password Spraying Attack
      • Okta FastPass Phishing Detection
      • Okta Sign-In Events via Third-Party IdP
      • Okta ThreatInsight Threat Suspected Promotion
      • Okta User Session Impersonation
      • Okta User Sessions Started from Different Geolocations
      • OneDrive Malware File Upload
      • Openssl Client or Server Activity
      • Outbound Scheduled Task Activity via PowerShell
      • Outlook Home Page Registry Modification
      • Parent Process PID Spoofing
      • Peripheral Device Discovery
      • Permission Theft - Detected - Elastic Endgame
      • Permission Theft - Prevented - Elastic Endgame
      • Persistence via BITS Job Notify Cmdline
      • Persistence via DirectoryService Plugin Modification
      • Persistence via Docker Shortcut Modification
      • Persistence via Folder Action Script
      • Persistence via Hidden Run Key Detected
      • Persistence via KDE AutoStart Script or Desktop File Modification
      • Persistence via Login or Logout Hook
      • Persistence via Microsoft Office AddIns
      • Persistence via Microsoft Outlook VBA
      • Persistence via PowerShell profile
      • Persistence via Scheduled Job Creation
      • Persistence via TelemetryController Scheduled Task Hijack
      • Persistence via Update Orchestrator Service Hijack
      • Persistence via WMI Event Subscription
      • Persistence via WMI Standard Registry Provider
      • Persistence via a Windows Installer
      • Persistent Scripts in the Startup Directory
      • Port Forwarding Rule Addition
      • Possible Consent Grant Attack via Azure-Registered Application
      • Possible FIN7 DGA Command and Control Behavior
      • Possible Okta DoS Attack
      • Potential ADIDNS Poisoning via Wildcard Record Creation
      • Potential AWS S3 Bucket Ransomware Note Uploaded
      • Potential Abuse of Resources by High Token Count and Large Response Sizes
      • Potential Active Directory Replication Account Backdoor
      • Potential Admin Group Account Addition
      • Potential Antimalware Scan Interface Bypass via PowerShell
      • Potential Application Shimming via Sdbinst
      • Potential Buffer Overflow Attack Detected
      • Potential Chroot Container Escape via Mount
      • Potential Code Execution via Postgresql
      • Potential Command and Control via Internet Explorer
      • Potential Container Escape via Modified notify_on_release File
      • Potential Container Escape via Modified release_agent File
      • Potential Cookies Theft via Browser Debugging
      • Potential Credential Access via DCSync
      • Potential Credential Access via DuplicateHandle in LSASS
      • Potential Credential Access via LSASS Memory Dump
      • Potential Credential Access via Memory Dump File Creation
      • Potential Credential Access via Renamed COM+ Services DLL
      • Potential Credential Access via Trusted Developer Utility
      • Potential Credential Access via Windows Utilities
      • Potential Cross Site Scripting (XSS)
      • Potential DGA Activity
      • Potential DLL Side-Loading via Microsoft Antimalware Service Executable
      • Potential DLL Side-Loading via Trusted Microsoft Programs
      • Potential DNS Tunneling via NsLookup
      • Potential Data Exfiltration Activity to an Unusual Destination Port
      • Potential Data Exfiltration Activity to an Unusual IP Address
      • Potential Data Exfiltration Activity to an Unusual ISO Code
      • Potential Data Exfiltration Activity to an Unusual Region
      • Potential Data Splitting Detected
      • Potential Defense Evasion via CMSTP.exe
      • Potential Defense Evasion via Doas
      • Potential Defense Evasion via PRoot
      • Potential Disabling of AppArmor
      • Potential Disabling of SELinux
      • Potential Enumeration via Active Directory Web Service
      • Potential Escalation via Vulnerable MSI Repair
      • Potential Evasion via Filter Manager
      • Potential Evasion via Windows Filtering Platform
      • Potential Execution of rc.local Script
      • Potential Execution via XZBackdoor
      • Potential Exploitation of an Unquoted Service Path Vulnerability
      • Potential External Linux SSH Brute Force Detected
      • Potential File Download via a Headless Browser
      • Potential File Transfer via Certreq
      • Potential Foxmail Exploitation
      • Potential Hex Payload Execution
      • Potential Hidden Local User Account Creation
      • Potential Hidden Process via Mount Hidepid
      • Potential Internal Linux SSH Brute Force Detected
      • Potential Invoke-Mimikatz PowerShell Script
      • Potential JAVA/JNDI Exploitation Attempt
      • Potential Kerberos Attack via Bifrost
      • Potential LSA Authentication Package Abuse
      • Potential LSASS Clone Creation via PssCaptureSnapShot
      • Potential LSASS Memory Dump via PssCaptureSnapShot
      • Potential Lateral Tool Transfer via SMB Share
      • Potential Linux Backdoor User Account Creation
      • Potential Linux Credential Dumping via Proc Filesystem
      • Potential Linux Credential Dumping via Unshadow
      • Potential Linux Hack Tool Launched
      • Potential Linux Local Account Brute Force Detected
      • Potential Linux Ransomware Note Creation Detected
      • Potential Linux Tunneling and/or Port Forwarding
      • Potential Local NTLM Relay via HTTP
      • Potential Masquerading as Browser Process
      • Potential Masquerading as Business App Installer
      • Potential Masquerading as Communication Apps
      • Potential Masquerading as System32 DLL
      • Potential Masquerading as System32 Executable
      • Potential Masquerading as VLC DLL
      • Potential Memory Seeking Activity
      • Potential Meterpreter Reverse Shell
      • Potential Microsoft Office Sandbox Evasion
      • Potential Modification of Accessibility Binaries
      • Potential Network Scan Detected
      • Potential Network Scan Executed From Host
      • Potential Network Share Discovery
      • Potential Network Sweep Detected
      • Potential Non-Standard Port HTTP/HTTPS connection
      • Potential Non-Standard Port SSH connection
      • Potential Okta MFA Bombing via Push Notifications
      • Potential OpenSSH Backdoor Logging Activity
      • Potential Outgoing RDP Connection by Unusual Process
      • Potential Pass-the-Hash (PtH) Attempt
      • Potential Persistence via Atom Init Script Modification
      • Potential Persistence via File Modification
      • Potential Persistence via Login Hook
      • Potential Persistence via Periodic Tasks
      • Potential Persistence via Time Provider Modification
      • Potential Port Monitor or Print Processor Registration Abuse
      • Potential PowerShell HackTool Script by Author
      • Potential PowerShell HackTool Script by Function Names
      • Potential PowerShell Obfuscated Script
      • Potential PowerShell Pass-the-Hash/Relay Script
      • Potential Privacy Control Bypass via Localhost Secure Copy
      • Potential Privacy Control Bypass via TCCDB Modification
      • Potential Privilege Escalation through Writable Docker Socket
      • Potential Privilege Escalation via CVE-2023-4911
      • Potential Privilege Escalation via Container Misconfiguration
      • Potential Privilege Escalation via Enlightenment
      • Potential Privilege Escalation via InstallerFileTakeOver
      • Potential Privilege Escalation via Linux DAC permissions
      • Potential Privilege Escalation via OverlayFS
      • Potential Privilege Escalation via PKEXEC
      • Potential Privilege Escalation via Python cap_setuid
      • Potential Privilege Escalation via Recently Compiled Executable
      • Potential Privilege Escalation via Service ImagePath Modification
      • Potential Privilege Escalation via Sudoers File Modification
      • Potential Privilege Escalation via UID INT_MAX Bug Detected
      • Potential Privileged Escalation via SamAccountName Spoofing
      • Potential Process Injection from Malicious Document
      • Potential Process Injection via PowerShell
      • Potential Protocol Tunneling via Chisel Client
      • Potential Protocol Tunneling via Chisel Server
      • Potential Protocol Tunneling via EarthWorm
      • Potential Pspy Process Monitoring Detected
      • Potential Ransomware Behavior - High count of Readme files by System
      • Potential Ransomware Note File Dropped via SMB
      • Potential Relay Attack against a Domain Controller
      • Potential Remote Code Execution via Web Server
      • Potential Remote Credential Access via Registry
      • Potential Remote Desktop Shadowing Activity
      • Potential Remote Desktop Tunneling Detected
      • Potential Remote File Execution via MSIEXEC
      • Potential Reverse Shell
      • Potential Reverse Shell Activity via Terminal
      • Potential Reverse Shell via Background Process
      • Potential Reverse Shell via Child
      • Potential Reverse Shell via Java
      • Potential Reverse Shell via Suspicious Binary
      • Potential Reverse Shell via Suspicious Child Process
      • Potential Reverse Shell via UDP
      • Potential SSH-IT SSH Worm Downloaded
      • Potential SYN-Based Network Scan Detected
      • Potential Secure File Deletion via SDelete Utility
      • Potential Shadow Credentials added to AD Object
      • Potential Shadow File Read via Command Line Utilities
      • Potential SharpRDP Behavior
      • Potential Shell via Wildcard Injection Detected
      • Potential Successful Linux FTP Brute Force Attack Detected
      • Potential Successful Linux RDP Brute Force Attack Detected
      • Potential Successful SSH Brute Force Attack
      • Potential Sudo Hijacking
      • Potential Sudo Privilege Escalation via CVE-2019-14287
      • Potential Sudo Token Manipulation via Process Injection
      • Potential Suspicious DebugFS Root Device Access
      • Potential Suspicious File Edit
      • Potential Unauthorized Access via Wildcard Injection Detected
      • Potential Upgrade of Non-interactive Shell
      • Potential Veeam Credential Access Command
      • Potential WPAD Spoofing via DNS Record Creation
      • Potential WSUS Abuse for Lateral Movement
      • Potential Widespread Malware Infection Across Multiple Hosts
      • Potential Windows Error Manager Masquerading
      • Potential Windows Session Hijacking via CcmExec
      • Potential curl CVE-2023-38545 Exploitation
      • Potential macOS SSH Brute Force Detected
      • Potential privilege escalation via CVE-2022-38028
      • Potentially Successful MFA Bombing via Push Notifications
      • Potentially Suspicious Process Started via tmux or screen
      • PowerShell Invoke-NinjaCopy script
      • PowerShell Kerberos Ticket Dump
      • PowerShell Kerberos Ticket Request
      • PowerShell Keylogging Script
      • PowerShell Mailbox Collection Script
      • PowerShell MiniDump Script
      • PowerShell PSReflect Script
      • PowerShell Script Block Logging Disabled
      • PowerShell Script with Archive Compression Capabilities
      • PowerShell Script with Discovery Capabilities
      • PowerShell Script with Encryption/Decryption Capabilities
      • PowerShell Script with Log Clear Capabilities
      • PowerShell Script with Password Policy Discovery Capabilities
      • PowerShell Script with Remote Execution Capabilities via WinRM
      • PowerShell Script with Token Impersonation Capabilities
      • PowerShell Script with Veeam Credential Access Capabilities
      • PowerShell Script with Webcam Video Capture Capabilities
      • PowerShell Script with Windows Defender Tampering Capabilities
      • PowerShell Share Enumeration Script
      • PowerShell Suspicious Discovery Related Windows API Functions
      • PowerShell Suspicious Payload Encoded and Compressed
      • PowerShell Suspicious Script with Audio Capture Capabilities
      • PowerShell Suspicious Script with Clipboard Retrieval Capabilities
      • PowerShell Suspicious Script with Screenshot Capabilities
      • Printer User (lp) Shell Execution
      • Private Key Searching Activity
      • Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
      • Privilege Escalation via CAP_SETUID/SETGID Capabilities
      • Privilege Escalation via GDB CAP_SYS_PTRACE
      • Privilege Escalation via Named Pipe Impersonation
      • Privilege Escalation via Rogue Named Pipe Impersonation
      • Privilege Escalation via Root Crontab File Modification
      • Privilege Escalation via SUID/SGID
      • Privilege Escalation via Windir Environment Variable
      • Privileged Account Brute Force
      • Privileged Docker Container Creation
      • Privileges Elevation via Parent Process PID Spoofing
      • Process Activity via Compiled HTML File
      • Process Capability Enumeration
      • Process Capability Set via setcap Utility
      • Process Created with a Duplicated Token
      • Process Created with an Elevated Token
      • Process Creation via Secondary Logon
      • Process Discovery Using Built-in Tools
      • Process Discovery via Built-In Applications
      • Process Execution from an Unusual Directory
      • Process Injection - Detected - Elastic Endgame
      • Process Injection - Prevented - Elastic Endgame
      • Process Injection by the Microsoft Build Engine
      • Process Spawned from Message-of-the-Day (MOTD)
      • Process Started from Process ID (PID) File
      • Process Termination followed by Deletion
      • Processes with Trailing Spaces
      • Program Files Directory Masquerading
      • Prompt for Credentials with OSASCRIPT
      • ProxyChains Activity
      • PsExec Network Connection
      • Quarantine Attrib Removed by Unsigned or Untrusted Process
      • Query Registry using Built-in Tools
      • RDP (Remote Desktop Protocol) from the Internet
      • RDP Enabled via Registry
      • ROT Encoded Python Script Execution
      • RPC (Remote Procedure Call) from the Internet
      • RPC (Remote Procedure Call) to the Internet
      • RPM Package Installed by Unusual Parent Process
      • Ransomware - Detected - Elastic Endgame
      • Ransomware - Prevented - Elastic Endgame
      • Rapid Secret Retrieval Attempts from AWS SecretsManager
      • Rapid7 Threat Command CVEs Correlation
      • Rare AWS Error Code
      • Rare SMB Connection to the Internet
      • Rare User Logon
      • Registry Persistence via AppCert DLL
      • Registry Persistence via AppInit DLL
      • Remote Computer Account DnsHostName Update
      • Remote Desktop Enabled in Windows Firewall by Netsh
      • Remote Execution via File Shares
      • Remote File Copy to a Hidden Share
      • Remote File Copy via TeamViewer
      • Remote File Download via Desktopimgdownldr Utility
      • Remote File Download via MpCmdRun
      • Remote File Download via PowerShell
      • Remote File Download via Script Interpreter
      • Remote SSH Login Enabled via systemsetup Command
      • Remote Scheduled Task Creation
      • Remote Scheduled Task Creation via RPC
      • Remote System Discovery Commands
      • Remote Windows Service Installed
      • Remote XSL Script Execution via COM
      • Remotely Started Services via RPC
      • Renamed AutoIt Scripts Interpreter
      • Renamed Utility Executed with Short Program Name
      • Root Certificate Installation
      • Root Network Connection via GDB CAP_SYS_PTRACE
      • Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
      • Route53 Resolver Query Log Configuration Deleted
      • SELinux Configuration Creation or Renaming
      • SIP Provider Modification
      • SMB (Windows File Sharing) Activity to the Internet
      • SMB Connections via LOLBin or Untrusted Process
      • SMTP on Port 26/TCP
      • SSH Authorized Keys File Modification
      • SSH Authorized Keys File Modified Inside a Container
      • SSH Connection Established Inside A Running Container
      • SSH Key Generated via ssh-keygen
      • SSH Process Launched From Inside A Container
      • SSL Certificate Deletion
      • SSM Session Started to EC2 Instance
      • SUID/SGID Bit Set
      • SUID/SGUID Enumeration Detected
      • SUNBURST Command and Control Activity
      • Scheduled Task Created by a Windows Script
      • Scheduled Task Execution at Scale via GPO
      • Scheduled Tasks AT Command Enabled
      • ScreenConnect Server Spawning Suspicious Processes
      • Screensaver Plist File Modified by Unexpected Process
      • Script Execution via Microsoft HTML Application
      • SeDebugPrivilege Enabled by a Suspicious Process
      • Searching for Saved Credentials via VaultCmd
      • Security File Access via Common Utilities
      • Security Software Discovery using WMIC
      • Security Software Discovery via Grep
      • Segfault Detected
      • Sensitive Files Compression
      • Sensitive Files Compression Inside A Container
      • Sensitive Keys Or Passwords Searched For Inside A Container
      • Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
      • Sensitive Registry Hive Access via RegBack
      • Service Command Lateral Movement
      • Service Control Spawned via Script Interpreter
      • Service Creation via Local Kerberos Authentication
      • Service DACL Modification via sc.exe
      • Service Disabled via Registry Modification
      • Service Path Modification
      • Service Path Modification via sc.exe
      • Setcap setuid/setgid Capability Set
      • Shadow File Modification
      • SharePoint Malware File Upload
      • Shared Object Created or Changed by Previously Unknown Process
      • Shell Configuration Creation or Modification
      • Shell Execution via Apple Scripting
      • Shortcut File Written or Modified on Startup Folder
      • Signed Proxy Execution via MS Work Folders
      • SoftwareUpdate Preferences Modification
      • SolarWinds Process Disabling Services via Registry
      • Spike in AWS Error Messages
      • Spike in Bytes Sent to an External Device
      • Spike in Bytes Sent to an External Device via Airdrop
      • Spike in Failed Logon Events
      • Spike in Firewall Denies
      • Spike in Logon Events
      • Spike in Network Traffic
      • Spike in Network Traffic To a Country
      • Spike in Number of Connections Made from a Source IP
      • Spike in Number of Connections Made to a Destination IP
      • Spike in Number of Processes in an RDP Session
      • Spike in Remote File Transfers
      • Spike in Successful Logon Events from a Source IP
      • Startup Folder Persistence via Unsigned Process
      • Startup Persistence by a Suspicious Process
      • Startup or Run Key Registry Modification
      • Startup/Logon Script added to Group Policy Object
      • Statistical Model Detected C2 Beaconing Activity
      • Statistical Model Detected C2 Beaconing Activity with High Confidence
      • Stolen Credentials Used to Login to Okta Account After MFA Reset
      • Sublime Plugin or Application Script Modification
      • Successful Application SSO from Rare Unknown Client Device
      • Sudo Command Enumeration Detected
      • Sudo Heap-Based Buffer Overflow Attempt
      • Sudoers File Modification
      • Suspicious .NET Code Compilation
      • Suspicious .NET Reflection via PowerShell
      • Suspicious /proc/maps Discovery
      • Suspicious APT Package Manager Execution
      • Suspicious APT Package Manager Network Connection
      • Suspicious Access to LDAP Attributes
      • Suspicious Activity Reported by Okta User
      • Suspicious Antimalware Scan Interface DLL
      • Suspicious Automator Workflows Execution
      • Suspicious Browser Child Process
      • Suspicious Calendar File Modification
      • Suspicious CertUtil Commands
      • Suspicious Child Process of Adobe Acrobat Reader Update Service
      • Suspicious Cmd Execution via WMI
      • Suspicious Communication App Child Process
      • Suspicious Content Extracted or Decompressed via Funzip
      • Suspicious CronTab Creation or Modification
      • Suspicious DLL Loaded for Persistence or Privilege Escalation
      • Suspicious Data Encryption via OpenSSL Utility
      • Suspicious Dynamic Linker Discovery via od
      • Suspicious Emond Child Process
      • Suspicious Endpoint Security Parent Process
      • Suspicious Execution from Foomatic-rip or Cupsd Parent
      • Suspicious Execution from INET Cache
      • Suspicious Execution from a Mounted Device
      • Suspicious Execution via MSIEXEC
      • Suspicious Execution via Microsoft Office Add-Ins
      • Suspicious Execution via Scheduled Task
      • Suspicious Execution via Windows Subsystem for Linux
      • Suspicious Explorer Child Process
      • Suspicious File Creation in /etc for Persistence
      • Suspicious File Creation via Kworker
      • Suspicious File Downloaded from Google Drive
      • Suspicious File Renamed via SMB
      • Suspicious HTML File Creation
      • Suspicious Hidden Child Process of Launchd
      • Suspicious Image Load (taskschd.dll) from MS Office
      • Suspicious ImagePath Service Creation
      • Suspicious Inter-Process Communication via Outlook
      • Suspicious Interactive Shell Spawned From Inside A Container
      • Suspicious JetBrains TeamCity Child Process
      • Suspicious Kworker UID Elevation
      • Suspicious LSASS Access via MalSecLogon
      • Suspicious Lsass Process Access
      • Suspicious MS Office Child Process
      • Suspicious MS Outlook Child Process
      • Suspicious Managed Code Hosting Process
      • Suspicious Memory grep Activity
      • Suspicious Microsoft 365 Mail Access by ClientAppId
      • Suspicious Microsoft Diagnostics Wizard Execution
      • Suspicious Mining Process Creation Event
      • Suspicious Modprobe File Event
      • Suspicious Module Loaded by LSASS
      • Suspicious Network Activity to the Internet by Previously Unknown Executable
      • Suspicious Network Connection via systemd
      • Suspicious Network Tool Launched Inside A Container
      • Suspicious PDF Reader Child Process
      • Suspicious Passwd File Event Action
      • Suspicious Portable Executable Encoded in Powershell Script
      • Suspicious PowerShell Engine ImageLoad
      • Suspicious PowerShell Execution via Windows Scripts
      • Suspicious Powershell Script
      • Suspicious Print Spooler File Deletion
      • Suspicious Print Spooler Point and Print DLL
      • Suspicious Print Spooler SPL File Created
      • Suspicious PrintSpooler Service Executable File Creation
      • Suspicious Proc Pseudo File System Enumeration
      • Suspicious Process Access via Direct System Call
      • Suspicious Process Creation CallTrace
      • Suspicious Process Execution via Renamed PsExec Executable
      • Suspicious RDP ActiveX Client Loaded
      • Suspicious Remote Registry Access via SeBackupPrivilege
      • Suspicious Renaming of ESXI Files
      • Suspicious Renaming of ESXI index.html File
      • Suspicious ScreenConnect Client Child Process
      • Suspicious Script Object Execution
      • Suspicious Service was Installed in the System
      • Suspicious SolarWinds Child Process
      • Suspicious Startup Shell Folder Modification
      • Suspicious Symbolic Link Created
      • Suspicious Sysctl File Event
      • Suspicious System Commands Executed by Previously Unknown Executable
      • Suspicious Termination of ESXI Process
      • Suspicious Troubleshooting Pack Cabinet Execution
      • Suspicious Utility Launched via ProxyChains
      • Suspicious WMI Event Subscription Created
      • Suspicious WMI Image Load from MS Office
      • Suspicious WMIC XSL Script Execution
      • Suspicious Web Browser Sensitive File Access
      • Suspicious WerFault Child Process
      • Suspicious Windows Command Shell Arguments
      • Suspicious Windows Powershell Arguments
      • Suspicious Windows Process Cluster Spawned by a Host
      • Suspicious Windows Process Cluster Spawned by a Parent Process
      • Suspicious Windows Process Cluster Spawned by a User
      • Suspicious Zoom Child Process
      • Suspicious macOS MS Office Child Process
      • Suspicious pbpaste High Volume Activity
      • Suspicious rc.local Error Message
      • Suspicious which Enumeration
      • Svchost spawning Cmd
      • Symbolic Link to Shadow Copy Created
      • System Binary Moved or Copied
      • System Hosts File Access
      • System Information Discovery via Windows Command Shell
      • System Log File Deletion
      • System Network Connections Discovery
      • System Owner/User Discovery Linux
      • System Service Discovery through built-in Windows Utilities
      • System Shells via Services
      • System Time Discovery
      • System V Init Script Created
      • SystemKey Access via Command Line
      • Systemd Generator Created
      • Systemd Service Created
      • Systemd Service Started by Unusual Parent Process
      • Systemd Timer Created
      • Systemd-udevd Rule File Creation
      • TCC Bypass via Mounted APFS Snapshot Access
      • Tainted Kernel Module Load
      • Tainted Out-Of-Tree Kernel Module Load
      • Tampering of Shell Command-Line History
      • Temporarily Scheduled Task Creation
      • Third-party Backup Files Deleted via Unexpected Process
      • Threat Intel Hash Indicator Match
      • Threat Intel IP Address Indicator Match
      • Threat Intel URL Indicator Match
      • Threat Intel Windows Registry Indicator Match
      • Timestomping using Touch Command
      • Trap Signals Execution
      • UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
      • UAC Bypass Attempt via Privileged IFileOperation COM Interface
      • UAC Bypass Attempt via Windows Directory Masquerading
      • UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
      • UAC Bypass via DiskCleanup Scheduled Task Hijack
      • UAC Bypass via ICMLuaUtil Elevated COM Interface
      • UAC Bypass via Windows Firewall Snap-In Hijack
      • UID Elevation from Previously Unknown Executable
      • Unauthorized Access to an Okta Application
      • Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
      • Uncommon Registry Persistence Change
      • Unexpected Child Process of macOS Screensaver Engine
      • Unix Socket Connection
      • Unknown Execution of Binary with RWX Memory Region
      • Unsigned BITS Service Client Process
      • Unsigned DLL Loaded by Svchost
      • Unsigned DLL Loaded by a Trusted Process
      • Unsigned DLL Side-Loading from a Suspicious Folder
      • Unsigned DLL loaded by DNS Service
      • Untrusted DLL Loaded by Azure AD Sync Service
      • Untrusted Driver Loaded
      • Unusual AWS Command for a User
      • Unusual Child Process from a System Virtual Process
      • Unusual Child Process of dns.exe
      • Unusual Child Processes of RunDLL32
      • Unusual City For an AWS Command
      • Unusual Country For an AWS Command
      • Unusual DNS Activity
      • Unusual DPKG Execution
      • Unusual Discovery Activity by User
      • Unusual Discovery Signal Alert with Unusual Process Command Line
      • Unusual Discovery Signal Alert with Unusual Process Executable
      • Unusual Executable File Creation by a System Critical Process
      • Unusual Execution via Microsoft Common Console File
      • Unusual File Creation - Alternate Data Stream
      • Unusual File Modification by dns.exe
      • Unusual High Confidence Misconduct Blocks Detected
      • Unusual Hour for a User to Logon
      • Unusual Instance Metadata Service (IMDS) API Request
      • Unusual Interactive Shell Launched from System User
      • Unusual Linux Network Activity
      • Unusual Linux Network Configuration Discovery
      • Unusual Linux Network Connection Discovery
      • Unusual Linux Network Port Activity
      • Unusual Linux Process Calling the Metadata Service
      • Unusual Linux Process Discovery Activity
      • Unusual Linux System Information Discovery Activity
      • Unusual Linux User Calling the Metadata Service
      • Unusual Linux User Discovery Activity
      • Unusual Linux Username
      • Unusual Login Activity
      • Unusual Network Activity from a Windows System Binary
      • Unusual Network Connection via DllHost
      • Unusual Network Connection via RunDLL32
      • Unusual Network Destination Domain Name
      • Unusual Parent Process for cmd.exe
      • Unusual Parent-Child Relationship
      • Unusual Persistence via Services Registry
      • Unusual Print Spooler Child Process
      • Unusual Process Execution Path - Alternate Data Stream
      • Unusual Process Execution on WBEM Path
      • Unusual Process Extension
      • Unusual Process For MSSQL Service Accounts
      • Unusual Process For a Linux Host
      • Unusual Process For a Windows Host
      • Unusual Process Network Connection
      • Unusual Process Spawned by a Host
      • Unusual Process Spawned by a Parent Process
      • Unusual Process Spawned by a User
      • Unusual Process Writing Data to an External Device
      • Unusual Remote File Directory
      • Unusual Remote File Extension
      • Unusual Remote File Size
      • Unusual Service Host Child Process - Childless Service
      • Unusual Source IP for a User to Logon from
      • Unusual Sudo Activity
      • Unusual Time or Day for an RDP Session
      • Unusual User Privilege Enumeration via id
      • Unusual Web Request
      • Unusual Web User Agent
      • Unusual Windows Network Activity
      • Unusual Windows Path Activity
      • Unusual Windows Process Calling the Metadata Service
      • Unusual Windows Remote User
      • Unusual Windows Service
      • Unusual Windows User Calling the Metadata Service
      • Unusual Windows User Privilege Elevation Activity
      • Unusual Windows Username
      • User Account Creation
      • User Added as Owner for Azure Application
      • User Added as Owner for Azure Service Principal
      • User Added to Privileged Group
      • User Added to the Admin Group
      • User account exposed to Kerberoasting
      • User or Group Creation/Modification
      • VNC (Virtual Network Computing) from the Internet
      • VNC (Virtual Network Computing) to the Internet
      • Veeam Backup Library Loaded by Unusual Process
      • Virtual Machine Fingerprinting
      • Virtual Machine Fingerprinting via Grep
      • Virtual Private Network Connection Attempt
      • Volume Shadow Copy Deleted or Resized via VssAdmin
      • Volume Shadow Copy Deletion via PowerShell
      • Volume Shadow Copy Deletion via WMIC
      • WMI Incoming Lateral Movement
      • WMI WBEMTEST Utility Execution
      • WMIC Remote Command
      • WPS Office Exploitation via DLL Hijack
      • WRITEDAC Access on Active Directory Object
      • Web Application Suspicious Activity: POST Request Declined
      • Web Application Suspicious Activity: Unauthorized Method
      • Web Application Suspicious Activity: sqlmap User Agent
      • Web Server Spawned via Python
      • Web Shell Detection: Script Process Child of Common Web Processes
      • WebProxy Settings Modification
      • WebServer Access Logs Deleted
      • Werfault ReflectDebugger Persistence
      • Whoami Process Activity
      • Windows Account or Group Discovery
      • Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
      • Windows Defender Disabled via Registry Modification
      • Windows Defender Exclusions Added via PowerShell
      • Windows Event Logs Cleared
      • Windows Firewall Disabled via PowerShell
      • Windows Installer with Suspicious Properties
      • Windows Network Enumeration
      • Windows Registry File Creation in SMB Share
      • Windows Script Executing PowerShell
      • Windows Script Interpreter Executing Process via WMI
      • Windows Service Installed via an Unusual Client
      • Windows Subsystem for Linux Distribution Installed
      • Windows Subsystem for Linux Enabled via Dism Utility
      • Windows System Information Discovery
      • Windows System Network Connections Discovery
      • Wireless Credential Dumping using Netsh Command
      • Yum Package Manager Plugin File Creation
      • Yum/DNF Plugin Status Discovery
      • Zoom Meeting with no Passcode
      • rc.local/rc.common File Creation
    • Downloadable rule updates
      • Update v8.13.1
      • Update v8.13.2
      • Update v8.13.3
      • Update v8.13.4
      • Update v8.13.5
      • Update v8.13.6
      • Update v8.13.7
      • Update v8.13.8
      • Update v8.13.9
      • Update v8.13.10
      • Update v8.13.11
      • Update v8.13.12
      • Update v8.13.13
      • Update v8.13.14
      • Update v8.13.15
      • Update v8.13.16
      • Update v8.13.17
      • Update v8.13.18
      • Update v8.13.19
      • Update v8.13.20
      • Update v8.13.21
      • Update v8.13.22
      • Update v8.13.23
  • Advanced Entity Analytics
    • Entity risk scoring
      • Asset criticality
      • Turn on the risk scoring engine
      • View and analyze risk score data
    • Advanced behavioral detections
      • Anomaly detection
      • Optimizing anomaly results
      • Behavioral detection use cases
      • Prebuilt job reference
  • Cloud native security
    • Security posture management overview
    • Cloud security posture management
      • Get started with CSPM for AWS
      • Get started with CSPM for GCP
      • Get started with CSPM for Azure
      • Findings page
      • Benchmarks
      • Cloud Security Posture dashboard
      • Frequently asked questions (FAQ)
    • Kubernetes security posture management
      • Get started with KSPM
      • Findings page
      • Benchmarks
      • Cloud Security Posture dashboard
      • Frequently asked questions (FAQ)
    • Cloud native vulnerability management
      • Get started with CNVM
      • Findings page
      • Cloud Native Vulnerability Management Dashboard
      • Frequently asked questions (FAQ)
    • Cloud workload protection for Kubernetes
      • Get started with CWP for Kubernetes
      • Container workload protection policies
      • Kubernetes dashboard
    • Cloud workload protection for VMs
      • Session View
      • Capture environment variables
  • Investigate
    • Investigate events in Timeline
    • About Timeline templates
    • Cases
      • Open and manage cases
      • Configure external connections
    • Indicators of compromise
  • Osquery
    • Add Osquery Response Actions
    • Run Osquery from investigation guides
    • Run Osquery from alerts
    • Examine Osquery results
    • Use placeholder fields in Osquery queries
  • Endpoint response actions
    • Automated response actions
    • Isolate a host
    • Response actions history
    • Third-party response actions
    • Configure third-party response actions
  • Manage endpoint protection
    • Endpoints
    • Policies
    • Trusted applications
    • Event filters
    • Host isolation exceptions
    • Blocklist
    • Optimize Elastic Defend
    • Event capture and Elastic Defend
    • Allowlist Elastic Endpoint in third-party antivirus apps
    • Endpoint self-protection features
    • Elastic Endpoint command reference
  • Elastic Security APIs
    • Detections API
      • Create rule
      • Get rule
      • Find rules
      • Update rule
      • Delete rule
      • Bulk rule actions
      • Create default exception list for a rule
      • Create exceptions for a rule
      • Index endpoint
      • Tags endpoint
      • Import rules
      • Export rules
      • Privileges endpoint
      • Signals endpoint
      • Prebuilt rules
    • Exceptions API
      • Create exception container
      • Create exceptions used by multiple rules
      • Create shared exception list
      • Find exception containers
      • Find exception items
      • Get exception container
      • Get exception item
      • Import exception list
      • Export exception list
      • Update exception container
      • Summary exception container
      • Update exception item
      • Delete exception container
      • Delete exception item
      • Lists index endpoint
    • Lists API
      • Create list container
      • Create list item
      • Import list items
      • Find list containers
      • Find list items
      • Get list container
      • Get list item
      • Update list container
      • Update list item
      • Export list items
      • Delete list container
      • Delete list item
    • Detection Alerts Migration API
    • Timeline API
      • Get Timelines or Timeline templates
      • Get Timeline or Timeline template by savedObjectId
      • Get Timeline template by templateTimelineId
      • Create Timeline or Timeline template
      • Update Timeline or Timeline template
      • Add a note to an existing Timeline
      • Pin an event to an existing Timeline
      • Delete Timelines or Timeline templates
      • Import timelines and timeline templates
    • Cases API
    • Actions API (for pushing cases to external systems)
    • Endpoint management API
      • Get endpoint
      • List endpoints
      • Isolate a host
      • Release an isolated host
      • Terminate a process
      • Suspend a process
      • Get processes
      • Get a file from a host
      • Execute a command on a host
      • Upload file to host
      • Trusted applications
      • Event filters
      • Host isolation exceptions
      • Blocklist
      • Get action details
      • List response actions
  • Elastic Security fields and object schemas
    • Create runtime fields in Elastic Security
    • Elastic Security ECS field reference
    • Timeline schema
    • Alert schema
  • Troubleshooting
    • Detection rules
    • Endpoint management
  • Technical preview
    • Host risk score
      • Verify that host risk score data installed successfully (Optional)
    • User risk score
      • Verify that user risk score data installed successfully (Optional)
  • Release notes
    • 8.13
    • 8.12
    • 8.11
    • 8.10
    • 8.9
    • 8.8
    • 8.7
    • 8.6
    • 8.5
    • 8.4
    • 8.3
    • 8.2
    • 8.1
    • 8.0