Sensitive Files Compression Inside A Containeredit

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None


  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Collection
  • Tactic: Credential Access

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where "*" and event.type== "start" and

/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
( ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
and process.args: (