Skip to content

Update Entity related rules with new _ea ML job ID and update minimum stack versions#5794

Open
susan-shu-c wants to merge 12 commits intomainfrom
euid-rules-update
Open

Update Entity related rules with new _ea ML job ID and update minimum stack versions#5794
susan-shu-c wants to merge 12 commits intomainfrom
euid-rules-update

Conversation

@susan-shu-c
Copy link
Copy Markdown
Member

@susan-shu-c susan-shu-c commented Feb 27, 2026
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

Corresponds with changes to ML jobs in

This PR will:

  • Change ML jobs to _ea suffix
  • Update min stack version
  • Update last updated date and description when applicable

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 27, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@susan-shu-c susan-shu-c added the Rule: Tuning tweaking or tuning an existing rule label Feb 27, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 27, 2026

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

sodhikirti07
sodhikirti07 reviewed Mar 4, 2026
View reviewed changes
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml
license = "Elastic License v2"
machine_learning_job_id = "rare_method_for_a_username"
machine_learning_job_id = "rare_method_for_a_username_euid"
name = "Unusual AWS Command for a User"
Copy link
Copy Markdown
Contributor

@sodhikirti07 sodhikirti07 Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@susan-shu-c Could you confirm the process to update the investigation guide?

Copy link
Copy Markdown
Member Author

@susan-shu-c susan-shu-c Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On it, pending response!

Copy link
Copy Markdown
Member Author

@susan-shu-c susan-shu-c Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For new rules: there is a process to kick off, we now have permissions
For existing rules: manually edit

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@susan-shu-c susan-shu-c changed the title Update Entity related jobs with EUID ML job ID and updated minimum stack versions Update Entity related rules with new _ea ML job ID and update minimum stack versions Mar 10, 2026
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in GCP Audit Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

sodhikirti07
sodhikirti07 reviewed Mar 13, 2026
View reviewed changes
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 13, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in GCP Audit Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@susan-shu-c susan-shu-c marked this pull request as ready for review March 13, 2026 15:53
@susan-shu-c susan-shu-c mentioned this pull request Mar 13, 2026
Merged
10 tasks
@jmcarlock
Copy link
Copy Markdown
Contributor

jmcarlock commented Mar 16, 2026

Confirmed that all of 105 ML jobs referenced here match the corresponding branches in Kibana/integrations

@botelastic botelastic bot added Domain: Cloud Integration: AWS AWS related rules Integration: Azure azure related rules Integration: GCP GCP related rules ML machine learning related rule labels Mar 26, 2026
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in GCP Audit Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@terrancedejesus terrancedejesus self-requested a review March 26, 2026 14:57
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 27, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Spike in Group Privilege Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Size (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Windows Process Creation (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Membership Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare User Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Privilege Elevation Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Remote User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Lifecycle Management Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Destination Domain Name (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made to a Destination IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Processes in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Azure Activity Logs Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Privilege Type assigned to a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Application Assignment Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of Process Arguments in an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in User Account Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Port Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Number of Connections Made from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Time or Day for an RDP Session (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Path Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Linux Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Writing Data to an External Device (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux User Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Detected for Privileged Commands by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Linux Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process For a Windows Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Process For a Windows Population (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Hour for a User to Logon (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DNS Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Management Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Extension (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web User Agent (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Request (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Tunneling (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Failed Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in GCP Audit Failed Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Mean of RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Variance in RDP Session Duration (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Group Lifecycle Change Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Process Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Username (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Privileged Command Execution by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Remote File Directory (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Region (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Connection Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual IP Address (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux System Information Discovery Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for a User to Logon from (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Logon Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows User Calling the Metadata Service (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual ISO Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Bytes Sent to an External Device via Airdrop (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Remote File Transfers (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Configuration Discovery (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Group Name Accessed by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential DGA Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@susan-shu-c
Copy link
Copy Markdown
Member Author

susan-shu-c commented Mar 27, 2026

I've also added a new rule rules/ml/execution_ml_windows_rare_script.toml which previously did not exist, to cover the ML job v3_windows_rare_script_ea which doesn't currently have a rule corresponding to it.

Commit with the new rule: 13179fd

I based the new rule off these two existing/similar rules, but requesting review:

rules/ml/execution_ml_windows_anomalous_script.toml
This is the rule for the job v3_windows_anomalous_script_ea which is what the v3_windows_rare_script_ea job was based off of originally. So I took the following:

  • MITRE mapping
  • Setup section
  • anomaly_threshold, risk_score, from/interval, tags

rules/ml/persistence_ml_rare_process_by_host_windows.toml

  • I took the false_positives and investigation steps roughly from here
  • Swapped boilerplate from process -> PowerShell script when applicable requires review - commit with new rule: 13179fd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sodhikirti07 sodhikirti07 sodhikirti07 left review comments

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

At least 2 approving reviews are required to merge this pull request.

Assignees

@susan-shu-c susan-shu-c

Labels

backport: auto Domain: Cloud Integration: AWS AWS related rules Integration: Azure azure related rules Integration: GCP GCP related rules ML machine learning related rule Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@susan-shu-c @tradebot-elastic @jmcarlock @terrancedejesus @sodhikirti07 @Mikaayenson