IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
- SIEM Guide: other versions:
- Overview
- Get up and running
- SIEM UI
- Anomaly Detection with Machine Learning
- Detections (Beta)
- Managing signal detection rules
- Detections API
- Prebuilt rule reference
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endpoint
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Credential Dumping - Detected - Elastic Endpoint
- Credential Dumping - Prevented - Elastic Endpoint
- Credential Manipulation - Detected - Elastic Endpoint
- Credential Manipulation - Prevented - Elastic Endpoint
- DNS Activity to the Internet
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Execution via Signed Binary
- Exploit - Detected - Elastic Endpoint
- Exploit - Prevented - Elastic Endpoint
- FTP (File Transfer Protocol) Activity to the Internet
- Hping Process Activity
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint
- Malware - Prevented - Elastic Endpoint
- Mknod Process Activity
- MsBuild Making Network Connections
- Netcat Network Activity
- Network Connection via Compiled HTML File
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Elastic Endpoint
- Permission Theft - Prevented - Elastic Endpoint
- Persistence via Kernel Module Modification
- Potential Application Shimming via Sdbinst
- Potential DNS Tunneling via Iodine
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Elastic Endpoint
- Process Injection - Prevented - Elastic Endpoint
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint
- Ransomware - Prevented - Elastic Endpoint
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Socat Process Activity
- Strace Process Activity
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Process spawning from Script Interpreter
- Suspicious Script Object Execution
- Svchost spawning cmd.exe
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual Network Connection via RunDLL32
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process Network Connection
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows Script Executing PowerShell
- Tuning prebuilt detection rules
- Prebuilt rules version history