Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.
Rule type: machine_learning
Rule indices: None
Risk score: 21
Runs every: 15m
Maximum alerts per execution: 100
- Threat Detection
Rule license: Elastic License v2