[Rule Tuning] Update Mitre Mappings and tags by Mikaayenson · Pull Request #5876 · elastic/detection-rules

Mikaayenson · 2026-03-23T22:00:38Z

Pull Request

Issue link(s):

Summary - What I changed

Leverages internal tradecraft tooling to mass update rules to use more appropriate tags/mitre mappings. Does not touch query or rule execution fields. Only adds supplemental mappings.

How To Test

CI Should pass

Checklist

Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
Added the meta:rapid-merge label if planning to merge within 24 hours
Secret and sensitive material has been managed correctly
Automated testing was updated or added to match the most common scenarios
Documentation and comments were added for features that require explanation

github-actions · 2026-03-23T22:00:50Z

github-actions · 2026-03-23T22:00:50Z

imays11

I'll continue review tomorrow

rules/integrations/aws/collection_cloudtrail_logging_created.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml

rules/integrations/aws/defense_evasion_rds_instance_restored.toml

tradebot-elastic · 2026-03-24T09:14:09Z

Starting the rule tests ...

rules/cross-platform/execution_potential_widespread_malware_infection.toml

Aegrah · 2026-03-24T09:23:53Z

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/04"
+updated_date = "2026/03/23"


We should deprecate this one

tradebot-elastic · 2026-03-24T09:40:37Z

Starting the rule tests ...

tradebot-elastic · 2026-03-24T09:41:40Z

Starting the rule tests ...

tradebot-elastic · 2026-03-24T09:50:09Z

Starting the rule tests ...

This reverts commit 9ae86ae.

This reverts commit e83ddf1.

tradebot-elastic · 2026-03-24T10:15:51Z

Starting the rule tests ...

tradebot-elastic · 2026-03-24T17:33:48Z

⛔️ Test failed

Results

❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System Path File Creation and Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Direct Interactive Kubernetes API Request Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubelet Certificate File Access Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Potential Remote File Inclusion Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive File Compression Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Exploitation Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote GitHub Actions Runner Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Forbidden Direct Interactive Kubernetes API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Local File Inclusion Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell Activity via Terminal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Netcat File Transfer or Listener Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Execution Permission Modification Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential SAP NetWeaver WebShell Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2026-03-24T23:11:03Z

⛔️ Test failed

Results

❌ Attempt to Modify an Okta Policy Rule (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ System Shells via Services (eql)
❌ System Binary Path File Permission Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Uncommon Destination Port Connection by Web Server (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Suspended User Account Renewed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Group Privilege Change Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Ransomware Note File Dropped via SMB (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Dumping Account Hashes via Built-In Commands (eql)
❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub Actions Unusual Bot Push to Repository (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ High Number of Process and/or Service Terminations (kuery)
❌ Suspicious Dynamic Linker Discovery via od (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time Python Accessed Sensitive Credential Files (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Network Scan Executed From Host (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time AWS CloudFormation Stack Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Renaming of OpenSSH Binaries (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Protected Branch Force Pushes by User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User Added to the Admin Group (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Microsoft Antimalware Service Execution (eql)
❌ Systemd-udevd Rule File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System Path File Creation and Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Conhost Spawned By Suspicious Parent Process (eql)
❌ Tainted Kernel Module Load (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Interactive Terminal Spawned via Perl (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious AWS S3 Connection via Script Interpreter (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Remote File Size (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic Linker (ld.so) Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
❌ Local Account TokenFilter Policy Disabled (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Drive Ownership Transferred via Google Workspace (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Browser Child Process (eql)
❌ Launch Service Creation and Immediate Loading (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Hidden Child Process of Launchd (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Node.js Pre or Post-Install Script Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Source IP for Windows Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Creation of Hidden Launch Agent or Daemon (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Spike in Special Logon Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Closed Pull Requests by User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Creation, Execution and Self-Deletion in Suspicious Directory (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Statistical Model Detected C2 Beaconing Activity with High Confidence (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Yum Package Manager Plugin File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Anomalous Windows Process Creation (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User account exposed to Kerberoasting (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Systemd Shell Execution During Boot (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM CompromisedKeyQuarantine Policy Attached to User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Shell via Wildcard Injection Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Hex Payload Execution via Common Utility (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Command Line Entropy Detected for Privileged Commands (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Nping Process Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Execution of File Written or Modified by Microsoft Office (eql)
❌ AWS Access Token Used from Multiple Addresses (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Persistence via Mandatory User Profile (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive/SharePoint Excessive File Downloads (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Service Account Key Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ MsBuild Making Network Connections (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ rc.local/rc.common File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Polkit Policy Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Netcat Listener Established via rlwrap (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Creation or Modification of Sensitive Role (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Sensitive Configuration File Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS SSM Inventory Reconnaissance by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ WebProxy Settings Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Abnormally Large DNS Response (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS Snapshot Export (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Script with Token Impersonation Capabilities (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User Detected with Suspicious Windows Process(es) (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Pod Created With HostNetwork (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Cmd Execution via WMI (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Group Membership Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Ransomware Behavior - Note Files by System (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invited (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ RPC (Remote Procedure Call) from the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Office Test Registry Persistence (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Persistence via Time Provider Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Successful Application SSO from Rare Unknown Client Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Virtual Private Network Connection Attempt (eql)
❌ Kubectl Permission Discovery (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential release_agent Container Escape Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious SIP Check by macOS Application (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kerberos Attack via Bifrost (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Component Object Model Hijacking (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ AWS S3 Static Site JavaScript File Uploaded (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Startup/Logon Script added to Group Policy Object (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via a Windows Installer (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Windows Service (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Powershell Script (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Windows User Privilege Elevation Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Windows Remote User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in User Lifecycle Management Change Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Systemd Service Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Network Destination Domain Name (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Script Execution via Microsoft HTML Application (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Simple HTTP Web Server Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Logging Sink Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Secrets Manager Rapid Secrets Retrieval (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Number of Connections Made to a Destination IP (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Persistence via File Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Recently Compiled Executable (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious File Creation via Pkg Install Script (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Object File Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Number of Processes in an RDP Session (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure RBAC Built-In Administrator Roles Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Network Tool Launch Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential System Tampering via File Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Execution of COM object via Xwizard (eql)
❌ AWS CloudTrail Log Suspended (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User Account Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Server Update Service Spawning Suspicious Processes (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BPF Program Tampering via bpftool (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Internal Linux SSH Brute Force Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New GitHub App Installed (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta Sign-In Events via Third-Party IdP (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Domain Federation Configuration Change (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Hex Payload Execution via Command-Line (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote File Download via Script Interpreter (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Initial Access via File Upload Followed by GET Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential CVE-2025-32463 Sudo Chroot Execution Attempt (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Roles Anywhere Profile Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Linux Hack Tool Launched (eql)
❌ Azure Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Creation of a DNS-Named Record (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Sudo Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Antimalware Scan Interface Bypass via PowerShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Egress Network Connections from Unusual Executable (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Network Activity from a Windows System Binary (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Exploit - Detected - Elastic Endgame (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious .NET Code Compilation (eql)
❌ Executable Masquerading as Kernel Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Creation or Modification of Root Certificate (eql)
❌ Suspicious Web Browser Sensitive File Access (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Werfault ReflectDebugger Persistence (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS SNS Topic Message Publish by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell via Child (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New GitHub Personal Access Token (PAT) Added (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Secret or ConfigMap Access via Azure Arc Proxy (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Encoded Payload Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Bucket Configuration Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Storage Bucket Permissions Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kubectl Masquerading via Unexpected Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unknown Execution of Binary with RWX Memory Region (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential SAP NetWeaver Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Okta Brute Force (Device Token Rotation) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New GitHub Owner Added (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Lateral Movement via Startup Folder (eql)
❌ First Time Python Created a LaunchAgent or LaunchDaemon (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kubeletctl Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell via Background Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Activity Detected via Kworker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Suspicious DebugFS Root Device Access (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via Update Orchestrator Service Hijack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Successful SSH Authentication from Unusual SSH Public Key (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Defense Evasion via Doas (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Direct Interactive Kubernetes API Request Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Privilege Type assigned to a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Firewall Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Process Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - M365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Account Discovery Command via SYSTEM Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Exploit - Prevented - Elastic Endgame (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS Role Assumption by User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Root Network Connection via GDB CAP_SYS_PTRACE (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sudo Command Enumeration Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via SUID/SGID (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Shell Configuration Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Security Group Configuration Change (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Shell Detection: Script Process Child of Common Web Processes (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux SSH X11 Forwarding (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Code Execution via Postgresql (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ESXI Discovery via Grep (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Host Name for Windows Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
❌ Potential Foxmail Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BPF Program or Map Load via bpftool (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kerberos Relay Attack against a Computer Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Command and Scripting Interpreter via Windows Scripts (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Kernel Module Enumeration (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential THC Tool Downloaded (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Wireless Credential Dumping using Netsh Command (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential File Transfer via Curl for Windows (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual GCP Event for a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Renamed Automation Script Interpreter (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Process Injection via PowerShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Halfbaked Command and Control Beacon (lucene)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Creation of a Hidden Local User Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Suspicious Script with Audio Capture Capabilities (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Disable Syslog Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Firewall Rule Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious File Made Executable via Chmod Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Script Execution from Archive (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS GetCallerIdentity API Called for the First Time (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Inbound Connection to an Unsecure Elasticsearch Node (lucene)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Bypass UAC via Event Viewer (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ GCP Pub/Sub Topic Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connection from Binary with RWX Memory Region (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Network Watcher Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Group Application Assignment Change Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ RPC (Remote Procedure Call) to the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious MS Outlook Child Process (eql)
❌ Directory Creation in /bin directory (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM User Addition to Group (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ESXI Discovery via Find (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic Linker Modification Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CLI Command with Custom Endpoint URL (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Accepted Default Telnet Port Connection (kuery)
- stack_validation_failed: no_alerts - 0 alerts
✅ Execution via Electron Child Process Node.js Module (eql)
✅ Port Forwarding Rule Addition (eql)
❌ Spike in Bytes Sent to an External Device (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File System Debugger Launched Inside a Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual Parent-Child Relationship (eql)
❌ Network Traffic to Rare Destination Country (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Process Started from Process ID (PID) File (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Mean of Process Arguments in an RDP Session (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Suspicious File Edit (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Disabling Lsa Protection via Registry Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in User Account Management Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempted Bypass of Okta MFA (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Prompt for Credentials with Osascript (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ M365 Identity Login from Impossible Travel Location (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ External User Added to Google Workspace Group (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Network Access Control List Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Persistence via Microsoft Outlook VBA (eql)
❌ Systemd Generator Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Module Loaded by LSASS (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ WDAC Policy File by an Unusual Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNC (Virtual Network Computing) to the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Full Network Packet Capture Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Kernel Feature Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SSH Authorized Keys File Deletion (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Impersonation Attempt via Kubectl (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Linux Network Port Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Seeking Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Pkexec Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ScreenConnect Server Spawning Suspicious Processes (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Flow with Concurrent Sign-ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS SNS Rare Protocol Subscription by User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudTrail Log Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Number of Connections Made from a Source IP (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution via Windows Subsystem for Linux (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Driver Load (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Emond Child Process (eql)
❌ Potential Remote File Execution via MSIEXEC (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote File Creation in World Writeable Directory (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via Named Pipe Impersonation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Process Creation CallTrace (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Protocol Tunneling via Chisel Client (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Binary Executed from Shared Memory Directory (eql)
❌ Potential Data Exfiltration via Rclone (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Time or Day for an RDP Session (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DNF Package Manager Plugin File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Spawned by a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Persistence via Services Registry (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New GitHub Self Hosted Action Runner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Sensitive IAM Operations Performed via CloudShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Hidden Local User Account Creation (eql)
❌ Unusual Login via System User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubelet Certificate File Access Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux User Added to Privileged Group (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential snap-confine Privilege Escalation via CVE-2026-3888 (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Permission Theft - Prevented - Elastic Endgame (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Potential Remote File Inclusion Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Local NTLM Relay via HTTP (eql)
❌ Browser Process Spawned from an Unusual Parent (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM OIDC Provider Created by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System V Init Script Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Credential Access via TruffleHog Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive File Compression Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Cupsd or Foomatic-rip Shell Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Apple Script Execution followed by Network Connection (eql)
❌ Potential Database Dumping Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ New USB Storage Device Mounted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Microsoft HTML Application Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote XSL Script Execution via COM (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint/OneDrive File Access via PowerShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Agent Spoofing - Multiple Hosts Using Same Agent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Linux Backdoor User Account Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Application Removed from Blocklist in Google Workspace (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Exploitation Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Federated Identity Credential Issuer Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Possible FIN7 DGA Command and Control Behavior (lucene)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Connection to Common Large Language Model Endpoints (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Container Management Utility Run Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ProxyChains Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Writing Data to an External Device (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual SSHD Child Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Load or Unload via Kexec Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Docker Release File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Management Console Brute Force of Root User Identity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Attempt to Disable Gatekeeper (eql)
❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious Script Object Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unauthorized Access to an Okta Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Unpacking Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution via TSClient Mountpoint (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Registry Persistence via AppCert DLL (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Logging Sink Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Incoming DCOM Lateral Movement with MMC (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Linux Restricted Shell Breakout via Linux Binary(s) (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Tool Installation Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious CronTab Creation or Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Network Activity to the Internet by Previously Unknown Executable (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Statistical Model Detected C2 Beaconing Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious PDF Reader Child Process (eql)
❌ Pluggable Authentication Module (PAM) Source Download (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connection to OAST Domain via Script Interpreter (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Uncommon Registry Persistence Change (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Exchange Mailbox Export via PowerShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Network Logon Provider Registry Modification (eql)
❌ Suspicious Execution with NodeJS (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Admin Group Account Addition (eql)
❌ GCP Logging Bucket Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNC (Virtual Network Computing) from the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Credentials Searched For Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DNS Global Query Block List Modified or Disabled (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote GitHub Actions Runner Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Web Config File Access (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Zoom Meeting with no Passcode (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Modifying GenAI Configuration File (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudTrail Log Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Unauthenticated Bucket Access by Rare Source (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ IPv4/IPv6 Forwarding Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Command Line Obfuscation via Whitespace Padding (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ROT Encoded Python Script Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote SSH Login Enabled via systemsetup Command (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Virtual Machine Fingerprinting (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious which Enumeration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Successful SSH Authentication from Unusual User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Boot File Copy (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Base64 Decoded Payload Piped to Interpreter (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Process Capability Enumeration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Successful SSH Authentication from Unusual IP Address (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Script with Veeam Credential Access Capabilities (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Meterpreter Reverse Shell (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Outbound Scheduled Task Activity via PowerShell (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User Added to Privileged Group in Active Directory (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Persistence via PowerShell profile (eql)
✅ Persistence via Login or Logout Hook (eql)
❌ Forbidden Direct Interactive Kubernetes API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Execution via Scheduled Task (eql)
❌ Unsigned DLL loaded by DNS Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Automator Workflows Execution (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Google Workspace 2SV Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential CVE-2025-33053 Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Memory Swap Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Detected for Privileged Commands by a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Discovery Command Output Written to Suspicious File (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual Process Network Connection (eql)
❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ FortiGate FortiCloud SSO Login from Unusual Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Suspicious Discovery Related Windows API Functions (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AdminSDHolder SDProp Exclusion Added (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta Sessions Detected for a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Incoming DCOM Lateral Movement via MSHTA (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Private Key Searching Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Process Backgrounded by Unusual Parent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive Registry Hive Access via RegBack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Git CVE-2025-48384 Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic Linker Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System Public IP Discovery via DNS Query (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Modification of Safari Settings via Defaults Command (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Network Connection via Recently Compiled Executable (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Manual Memory Dumping via Proc Filesystem (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Execution from Kernel Thread (kthreadd) Parent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Web Server Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Account Token or Certificate Read Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ WebServer Access Logs Deleted (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Connection to Commonly Abused Web Services (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux Process Hooking via GDB (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious macOS MS Office Child Process (eql)
❌ Modification of the msPKIAccountCredentials (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Modify an Okta Policy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Rare Connection to WebDAV Target (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Process Terminations (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Federated Domain Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via TelemetryController Scheduled Task Hijack (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Google Workspace Admin Role Assigned to a User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudWatch Log Group Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Access to LDAP Attributes (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Path Mounted (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM User Created Access Keys For Another User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious rc.local Error Message (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Sign-In Root Password Recovery Requested (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Disable Auditd Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual Service Host Child Process - Childless Service (eql)
✅ Exporting Exchange Mailbox via PowerShell (eql)
❌ Suspicious Utility Launched via ProxyChains (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Curl to Google App Script Endpoint (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Sensitive Files Compression (kuery)
❌ Remote Computer Account DnsHostName Update (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Container Management Utility Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
❌ Unusual Process For a Windows Host (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via CVE-2023-4911 (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Curl from macOS Application (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time Seen Remote Monitoring and Management Tool (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System and Network Configuration Check (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Enumeration of Users or Groups via Built-in Commands (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Unusual Exim4 Child Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Linux Tunneling and/or Port Forwarding (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Active Directory Group Modification by SYSTEM (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Occurrence of Okta User Session Started via Proxy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Special Privilege Use Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Git Repository or File Download to Suspicious Directory (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudTrail Log Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via WMI Standard Registry Provider (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 EBS Snapshot Access Removed (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Modification of Dynamic Linker Preload Shared Object (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Passwd File Event Action (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Roles Anywhere Trust Anchor Created with External CA (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - M365 Security Compliance Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Network Tool Launched Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious JetBrains TeamCity Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Execution of rc.local Script (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS API Activity from Uncommon S3 Client by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Curl SOCKS Proxy Activity from Unusual Parent (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Interactive Privilege Boundary Enumeration Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Modification of Accessibility Binaries (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Modification of Environment Variable via Unsigned or Untrusted Parent (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Unusual DNS Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DNS Enumeration Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Group Management Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Sudoers File Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Access to a Sensitive LDAP Attribute (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via Rogue Named Pipe Impersonation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Country for an Azure Activity Logs Event (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell via Suspicious Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Remote Desktop Tunneling Detected (eql)
✅ Enumeration Command Spawned via WMIPrvSE (eql)
❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Registered Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UID Elevation from Previously Unknown Executable (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Network Sweep Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Yum/DNF Plugin Status Discovery (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Application Added to Google Workspace Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious ScreenConnect Client Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious File Renamed via SMB (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unsigned DLL Loaded by Svchost (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution of a Downloaded Windows Script (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux User Account Credential Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential File Transfer via Certreq (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Shadow Credentials added to AD Object (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation through Writable Docker Socket (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Execution via SSH Backdoor (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ APT Package Manager Configuration File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Bitlocker Setting Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Git Hook Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Service Account Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Lambda Layer Added to Existing Function (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Execution via FileFix Phishing Attack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Kworker UID Elevation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Management Console File from Unusual Path (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Security File Access via Common Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Notepad Markdown RCE Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious WMIC XSL Script Execution (eql)
❌ Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Python Path File (pth) Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Systemd Timer Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential AWS S3 Bucket Ransomware Note Uploaded (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Potential PowerShell Obfuscated Script (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual City For an AWS Command (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Remote File Extension (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Gatekeeper Override and Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Azure Activity Logs Event for a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ Temporarily Scheduled Task Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Apple Scripting Execution with Administrator Privileges (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious Path Invocation from Command Line (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Manual Dracut Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Windows Powershell Arguments (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Disable IPTables or Firewall (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ At Job Created or Modified (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Subnet Scanning Activity from Compromised Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ NetworkManager Dispatcher Script Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Instance Connect SSH Public Key Uploaded (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EventBridge Rule Disabled or Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubectl Network Configuration Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Sudo Hijacking (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kerberos Traffic from Unusual Process (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious Command Prompt Network Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Persistence via DirectoryService Plugin Modification (eql)
❌ Suspicious Symbolic Link Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Okta MFA Bombing via Push Notifications (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SUID/SGID Bit Set (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution from a Mounted Device (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Unusual Decision by User Agent (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Deactivate an Okta Network Zone (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Command Execution from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Sudo Privilege Escalation via CVE-2019-14287 (eql)
❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Several Failed Protected Branch Force Pushes by User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ RDP (Remote Desktop Protocol) from the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual Child Process of dns.exe (eql)
❌ Potential SharpRDP Behavior (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Linux Tunneling and/or Port Forwarding via Command Line (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Host Name for Okta Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Successful SSH Brute Force Attack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Proxy Execution via Windows OpenSSH (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Data Exfiltration Through Wget (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via PKEXEC (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential WSUS Abuse for Lateral Movement (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Actor Token User Impersonation Abuse (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Transfer Utility Launched from Unusual Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Linux User or Group Deletion (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Hping Process Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Simple HTTP Web Server Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Keychain Password Retrieval via Command Line (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Web Server Local File Inclusion Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Unusual Cloud Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Virtual Private Cloud Route Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Web Request (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DNS Tunneling (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time Python Spawned a Shell on Host (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Evasion via Windows Filtering Platform (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS Role Assumption by Service (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sudoers File Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Encoded Executable Stored in the Registry (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Google Workspace Admin Role Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Executable Bit Set for Potential Persistence Script (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Pass-the-Hash/Relay Script (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ D-Bus Service Created (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive Keys Or Passwords Search Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS DynamoDB Scan by Unusual User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Create Okta API Token (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Message-of-the-Day (MOTD) File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Backdoor Execution Through PAM_EXEC (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual D-Bus Daemon Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Storage Bucket Configuration Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DebugFS Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Spawned from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM SAML Provider Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Zoom Child Process (eql)
❌ Suspicious Renaming of ESXI Files (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Startup or Run Key Registry Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Google Workspace Drive Encryption Key(s) Accessed from Anonymous User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Git Hook Egress Network Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution from Foomatic-rip or Cupsd Parent (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP IAM Service Account Key Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Management Group Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Site Administrator Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Installer Package Spawns Network Event (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kerberos SPN Spoofing via Suspicious DNS Query (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Failed Logon Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Explorer Child Process (eql)
❌ Kubeconfig File Discovery (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Shell Execution via Velociraptor (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub Owner Role Granted To User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Command Shell via NetCat (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Interactive Shell Launched from System User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Enumeration via Active Directory Web Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Build Engine Started by a Script Process (kuery)
- stack_validation_failed: no_alerts - 0 alerts
✅ Microsoft Build Engine Started by a System Process (eql)
✅ Microsoft Build Engine Started an Unusual Process (kuery)
❌ Process Injection by the Microsoft Build Engine (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Tunneling and/or Port Forwarding Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential SSH Password Grabbing via strace (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta AiTM Session Cookie Replay (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suricata and Elastic Defend Network Correlation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS DB Instance Made Public (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Protocol Tunneling via EarthWorm (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic IEX Reconstruction via Method String Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Permission Modification in Writable Directory (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Python cap_setuid (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive File Access followed by Compression (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Pub/Sub Topic Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Deletion via Shred (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Subsystem for Linux Distribution Installed (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Virtual Private Cloud Route Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell Activity via Terminal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection Admin Confirmed Compromise (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux Group Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Preload Environment Variable Process Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS AssumeRole with New MFA Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Spike in Concurrent Active Sessions by a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sharepoint or OneDrive Accessed by Unusual Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution via local SxS Shared Module (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Registry File Creation in SMB Share (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious SolarWinds Web Help Desk Java Module Load or Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Netcat File Transfer or Listener Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Reverse Shell via UDP (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Assume Role Policy Update (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious MS Office Child Process (eql)
❌ Execution via GitHub Actions Runner (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Emond Rules Creation or Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Entra ID Protection User Alert and Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Mean of RDP Session Duration (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution via OpenClaw Agent (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privileged Docker Container Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM SAML Provider Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Curl to Jamf Endpoint (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Authentication via Unusual PAM Grantor (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious File Downloaded from Google Drive (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Download Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Storage Blob Retrieval via AzCopy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 LOLBin Execution via SSM SendCommand (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Variance in RDP Session Duration (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Region Name for Okta Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Password Policy Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via Hidden Run Key Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ IPSEC NAT Traversal Port Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Script Interpreter Connection to Non-Standard Port (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Group Lifecycle Change Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP IAM Custom Role Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System Log File Deletion (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remotely Started Services via RPC (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GRUB Configuration Generation through Built-in Utilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote Execution via File Shares (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Telnet Authentication Bypass (CVE-2026-24061) (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Library Load via Python (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Perl Outbound Network Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Windows Process Calling the Metadata Service (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Calendar C2 via Script Interpreter (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Persistence via Login Hook (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious WerFault Child Process (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Git Hook Created or Modified (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Outlook Home Page Registry Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ WPS Office Exploitation via DLL Hijack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual AWS Command for a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace API Access Granted via Domain-Wide Delegation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Command and Control via Internet Explorer (eql)
❌ Potential macOS SSH Brute Force Detected (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious Managed Code Hosting Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Signed Proxy Execution via MS Work Folders (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Google Workspace Custom Admin Role Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Openssl Client or Server Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Decline in host-based traffic (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kerberos Cached Credentials Dumping (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious APT Package Manager Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Transfer or Listener Established via Netcat (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Communication App Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious File Creation via Kworker (eql)
❌ Suspicious React Server Child Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Shared Object Created by Previously Unknown Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Linux Telegram API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual User Privilege Enumeration via id (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Activity Detected via cat (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Curl Execution via Shell Profile (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Container Misconfiguration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ TCC Bypass via Mounted APFS Snapshot Access (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Unusual Network Connection to Suspicious Web Service (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubeconfig File Creation or Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Traffic Tunneling using QEMU (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connection via Compiled HTML File (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GenAI Process Compiling or Generating Executables (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS Snapshot Deleted (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Endpoint Security Parent Process (eql)
❌ Potential Persistence via Atom Init Script Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Attempt to Delete an Okta Policy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via OverlayFS (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Kubernetes Direct API Request via Curl or Wget (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Systemd Service Started by Unusual Parent Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudShell Environment Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Elastic Agent Service Terminated (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Script Interpreter Executing Process via WMI (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential Veeam Credential Access Command (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Deactivate an Okta Policy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ FortiGate Configuration File Downloaded (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Administrator Privileges Assigned to an Okta Group (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Invoke-NinjaCopy script (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Creation or Modification of Domain Backup DPAPI private key (eql)
❌ Network Connection via MsXsl (eql)
- stack_validation_failed: no_alerts - 0 alerts
✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
❌ Chkconfig Service Add (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SolarWinds Process Disabling Services via Registry (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Creation by Cups or Foomatic-rip Child (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Windows Network Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS Role Chaining (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Driver Load by non-root User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS SQS Queue Purge (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Encryption Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Etherhiding C2 via Blockchain Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Custom Application Interaction Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Enlightenment (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Machine Learning Detected DGA activity using a known SUNBURST DNS domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection Alerts for User Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Privileged Command Execution by a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Print Spooler Point and Print DLL (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution via Windows Command Debugging Utility (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Host Detected with Suspicious Windows Process(es) (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Remote File Directory (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Data Exfiltration Through Curl (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS DB Instance Restored (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ GenAI Process Accessing Sensitive Files (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privacy Control Bypass via Localhost Secure Copy (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Login Profile Added for Root (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Rare Azure Activity Logs Event Failures (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Full Network Packet Capture Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential RemoteMonologue Attack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual AWS S3 Object Encryption with SSE-C (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Microsoft IIS Connection Strings Decryption (eql)
❌ Persistence via Folder Action Script (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Privilege Escalation via GDB CAP_SYS_PTRACE (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Permission Theft - Detected - Elastic Endgame (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS SSM SendCommand with Run Shell Command Parameters (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution from VS Code Extension (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GenAI Process Performing Encoding/Chunking Prior to Network Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential JAVA/JNDI Exploitation Attempt (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Remote Management Tool Vendors on Same Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Print Spooler File Deletion (eql)
❌ Unusual Base64 Encoding/Decoding Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Remote Desktop Shadowing Activity (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ GCP Virtual Private Cloud Network Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Pod or Container Creation with Suspicious Command-Line (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Microsoft Build Engine Started by an Office Application (eql)
❌ CyberArk Privileged Access Security Recommended Monitor (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Initramfs Unpacking via unmkinitramfs (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Kerberos Authentication Ticket Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Modify an Okta Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Egress Connection from Entrypoint in Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Unusual Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Network Connection via DllHost (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Privileged Pod Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual File Operation by dns.exe (kuery)
❌ Spike in Network Traffic To a Country (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Persistence via Docker Shortcut Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Virtual Machine Fingerprinting via Grep (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Parent Process PID Spoofing (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Startup Shell Folder Modification (eql)
❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Remote Install via MsiExec (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Polkit Version Discovery (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Abnormal Process ID or Lock File Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace MFA Enforcement Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Enable the Root Account (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Multiple Device Token Hashes for Single Okta Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace User Organizational Unit Changed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Pub/Sub Subscription Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Deactivate an Okta Policy Rule (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Anomalous Linux Compiler Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Downloaded URL Files (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta User Session Impersonation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell HackTool Script by Function Names (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Shadow File Modification by Unusual Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual City for an Azure Activity Logs Event (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GRUB Configuration File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
❌ Kubernetes Service Account Secret Access (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Cobalt Strike Command and Control Beacon (lucene)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Domain Added to Google Workspace Trusted Domains (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Trap Signals Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Execution from Unusual Directory - Command Line (eql)
❌ Namespace Manipulation Using Unshare (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Cloud Credential Search Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Symbolic Link to Shadow Copy Created (eql)
❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Expired or Revoked Driver Loaded (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ System Binary Symlink to Suspicious Location (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Instance Console Login via Assumed Role (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Curl or Wget Egress Network Connection via LoLBin (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privileged Container Creation with Host Directory Mount (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Microsoft Office Sandbox Evasion (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Unusual Region Name for Windows Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Disabling User Account Control via Registry Modification (eql)
✅ Clearing Windows Event Logs (eql)
❌ Remote Windows Service Installed (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Shell Execution via Apple Scripting (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ AWS S3 Bucket Replicated to Another Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Delete an Okta Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Source IP for a User to Logon from (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Linux init (PID 1) Secret Dump via GDB (eql)
❌ Kernel Module Load from Unusual Location (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Privilege Escalation via Windir Environment Variable (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Delete an Okta Policy Rule (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Service Command Lateral Movement (eql)
❌ Unusual DPKG Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CloudWatch Log Stream Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Pub/Sub Subscription Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Protocol Tunneling via Cloudflared (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Modification of WDigest Security Provider (eql)
❌ M365 Exchange Malware Filter Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Memory grep Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ SystemKey Access via Command Line (eql)
❌ Interactive Terminal Spawned via Python (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Python Site or User Customize File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Apple Mail Rule Plist Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Logon Events (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SMTP on Port 26/TCP (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Machine Account Relay Attack via SMB (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Untrusted Driver Loaded (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential REMCOS Trojan Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Ollama API Accessed from External Network (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Deactivation of MFA Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Volume Shadow Copy Deletion via PowerShell (eql)
❌ Curl or Wget Spawned via Node.js (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Sensitive Files Compression Inside A Container (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Windows Command Shell Arguments (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PANW and Elastic Defend - Command and Control Correlation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Machine Learning Detected a DNS Request With a High DGA Probability Score (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Github Activity on a Private Repository from an Unusual IP (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network-Level Authentication (NLA) Disabled (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Execution via Windows Subsystem for Linux (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Service Principal Authentication from Multiple Countries (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Content Extracted or Decompressed via Funzip (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Git Hook Command Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Hidden Process via Mount Hidepid (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dracut Module Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution from INET Cache (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Country For a GCP Event (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Install Kali Linux via WSL (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connections Initiated Through XDG Autostart Entry (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Docker Socket Enumeration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Role (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ File Creation in /var/log via Suspicious Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Base16 or Base32 Encoding/Decoding Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Export Task (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ First Time Seen Driver Loaded (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic Linker Copy (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Group (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential privilege escalation via CVE-2022-38028 (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Delayed Execution via Ping (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempts to Brute Force an Okta User Account (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potentially Suspicious Process Started via tmux or screen (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Route Table Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Connection to External Network via Telnet (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Mining Process Creation Event (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Successful Logon Events from a Source IP (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Full Disk Access Permission Check (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious .NET Reflection via PowerShell (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious pbpaste High Volume Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Management Console Root Login (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
❌ Potential Data Splitting Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Process Activity via Compiled HTML File (eql)
❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Route 53 Private Hosted Zone Associated With a VPC (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ KDE AutoStart Script or Desktop File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Modify an Okta Network Zone (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Creation via Local Kerberos Authentication (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Virtual MFA Device Registration Attempt with Session Token (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kerberos Pre-authentication Disabled for User (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Activity to a Suspicious Top Level Domain (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ MFA Disabled for Google Workspace Organization (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub Authentication Token Access via Node.js (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Authorization Plugin Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Possible Okta DoS Attack (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Screensaver Plist File Modified by Unexpected Process (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Default Cobalt Strike Team Server Certificate (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Execution of Persistent Suspicious Program (eql)
❌ Potential Windows Session Hijacking via CcmExec (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Execution via Microsoft Common Console File (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Linux Credential Dumping via Unshadow (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ AWS EC2 Route Table Modified or Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Outbound Network Connection via Unsigned Binary (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Protocol Tunneling via Yuze (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Network Connection by Cups or Foomatic-rip Child (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Control Spawned via Script Interpreter (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Host File System Changes via Windows Subsystem for Linux (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub Actions Workflow Modification Blocked (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS DynamoDB Table Exported to S3 (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious System Commands Executed by Previously Unknown Executable (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Reordering (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Bytes Sent to an External Device via Airdrop (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Unusual Executable File Creation by a System Critical Process (eql)
❌ Potential LSA Authentication Package Abuse (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Spike in Remote File Transfers (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Serial Console Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Spawned by a Parent Process (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Spike in Firewall Denies (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious APT Package Manager Network Connection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Telnet Authentication Bypass via User Environment Variable (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Curl SOCKS Proxy Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Mimikatz Memssp Log File Detected (eql)
✅ IIS HTTP Logging Disabled (eql)
❌ File Execution Permission Modification Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Forbidden Creation Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Instance Metadata Service (IMDS) API Request (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Remote File Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Attempt to Deactivate an Okta Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ ImageLoad via Windows Update Auto Update Client (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta FastPass Phishing Detection (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Execution from a WebDav Share (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privacy Control Bypass via TCCDB Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Kubectl Apply Pod from URL (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BPF filter applied using TC (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
❌ Potential Linux Tunneling and/or Port Forwarding via SSH Option (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Whoami Process Activity (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential Data Exfiltration Activity to an Unusual Destination Port (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious HTML File Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta User Assigned Administrator Role (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Quarantine Attrib Removed by Unsigned or Untrusted Process (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ dMSA Account Creation by an Unusual User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Execution with Explicit Credentials via Scripting (eql)
❌ Suspicious Child Execution via Web Server (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Process Capability Set via setcap Utility (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Manual Loading of a Suspicious Chromium Extension (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS DB Instance or Cluster Password Modified (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual City For a GCP Event (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Modification of Persistence Relevant Files Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Creation of Hidden Login Item via Apple Script (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential OpenSSH Backdoor Logging Activity (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Service Account Modified RBAC Objects (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Google Workspace Object Copied to External Drive with App Consent (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Machine Learning Detected a DNS Request Predicted to be a DGA Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ WMI Incoming Lateral Movement (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Deprecated - Sudo Heap-Based Buffer Overflow Attempt (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ Suspicious Network Connection via systemd (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kill Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Web Server Potential Command Injection Request (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote Desktop File Opened from Suspicious Path (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Pluggable Authentication Module or Configuration Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ OpenSSL Password Hash Generation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ DPKG Package Installed by Unusual Parent Process (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Data Encryption via OpenSSL Utility (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Windows Script Executing PowerShell (eql)
❌ Rare SMB Connection to the Internet (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubelet Pod Discovery Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Setcap setuid/setgid Capability Set (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Parent Process Detected with Suspicious Windows Process(es) (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Masquerading Space After Filename (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Environment Variable Enumeration Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SoftwareUpdate Preferences Modification (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ AWS IAM Customer-Managed Policy Attached to Role by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Concatenation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ SSH Authorized Key File Activity Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Service Account Namespace Read Detected via Defend for Containers (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Privilege Escalation via Linux DAC permissions (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential SAP NetWeaver WebShell Creation (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS CLI with Kali Linux Fingerprint Identified (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Exchange Worker Spawning Suspicious Processes (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Printer User (lp) Shell Execution (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Active Directory Replication Account Backdoor (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Untrusted DLL Loaded by Azure AD Sync Service (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Secret Scanning via Gitleaks (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Browser Extension Install (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Activity Reported by Okta User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Remote File Copy to a Hidden Share (eql)
- stack_validation_failed: no_alerts - 0 alerts
❌ Potential Reverse Shell via Suspicious Binary (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Cloned GitHub Repos From PAT (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta Multiple OS Names Detected for a Single DT Hash (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kernel Instrumentation Discovery via kprobes and tracefs (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Group Name Accessed by a User (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dylib Injection via Process Environment Variables (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Fake CAPTCHA Phishing Attack (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Source IP for Okta Privileged Operations Detected (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Process Started with Executable Stack (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Proxy Execution via Console Window Host (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Identity OAuth Flow by User Sign-in to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ User or Group Creation/Modification (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GitHub App Deleted (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Potential Application Shimming via Sdbinst (eql)
✅ Suspicious CertUtil Commands (eql)
❌ Svchost spawning Cmd (kuery)
- stack_validation_failed: no_alerts - 0 alerts
❌ PowerShell Kerberos Ticket Dump (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
✅ Microsoft Windows Defender Tampering (eql)
❌ Spike in host-based traffic (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential DGA Activity (-)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Cron Job Created or Modified (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious JavaScript Execution via Deno (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mail Flow Transport Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ GCP Firewall Rule Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Sudo Token Manipulation via Process Injection (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious TCC Access Granted for User Folders (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

Mikaayenson added 3 commits March 23, 2026 16:56

update tag & tacit unit test

12fe443

add updated rules with tags/mitre mappings

856a23b

add updated rules_building_block with tags/mitre mappings

b2952ba

Mikaayenson requested review from Aegrah, DefSecSentinel, Samirbous, imays11, shashank-elastic, terrancedejesus and w0rk3r March 23, 2026 22:00

Mikaayenson self-assigned this Mar 23, 2026

Mikaayenson requested a review from eric-forte-elastic as a code owner March 23, 2026 22:00

Mikaayenson added enhancement New feature or request Rule: Tuning tweaking or tuning an existing rule test-suite unit and other testing components Security Content labels Mar 23, 2026

botelastic bot added Domain: Cloud Integration: AWS AWS related rules Integration: Azure azure related rules Integration: CyberArkPas CyberArkPas integration Integration: GCP GCP related rules ML machine learning related rule labels Mar 23, 2026

github-actions bot added the backport: auto label Mar 23, 2026

github-actions bot deployed to docs-preview March 23, 2026 22:01 View deployment

imays11 reviewed Mar 23, 2026

View reviewed changes

rules/integrations/aws/collection_cloudtrail_logging_created.toml Show resolved Hide resolved

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml Show resolved Hide resolved

rules/integrations/aws/defense_evasion_rds_instance_restored.toml Show resolved Hide resolved

Merge branch 'main' into update_mitre_mappings_and_tags

bf730ad

github-actions bot deployed to docs-preview March 24, 2026 09:14 View deployment

Aegrah reviewed Mar 24, 2026

View reviewed changes

rules/cross-platform/execution_potential_widespread_malware_infection.toml Outdated Show resolved Hide resolved

Aegrah reviewed Mar 24, 2026

View reviewed changes

__

9ae86ae

github-actions bot had a problem deploying to docs-preview March 24, 2026 09:41 Failure

++

bf5b158

github-actions bot deployed to docs-preview March 24, 2026 09:42 View deployment

++

e83ddf1

github-actions bot deployed to docs-preview March 24, 2026 09:50 View deployment

Aegrah added 2 commits March 24, 2026 11:15

Revert "__"

cb16aee

This reverts commit 9ae86ae.

Revert "++"

0b7ddfa

This reverts commit e83ddf1.

github-actions bot deployed to docs-preview March 24, 2026 10:16 View deployment

reset rules to main

0042eb1

github-actions bot deployed to docs-preview March 24, 2026 17:34 View deployment

Mikaayenson added 2 commits March 24, 2026 13:46

remove renamed files

c1f5d0c

add supplemental mitre mappings

df65055

botelastic bot added the Integration: Google Workspace label Mar 24, 2026

Conversation

Mikaayenson commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request

Summary - What I changed

How To Test

Checklist

Uh oh!

github-actions bot commented Mar 23, 2026

Enhancement - Guidelines

Documentation and Context

Code Standards and Practices

Testing

Additional Checks

Uh oh!

github-actions bot commented Mar 23, 2026

Enhancement - Guidelines

Documentation and Context

Code Standards and Practices

Testing

Additional Checks

Uh oh!

imays11 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tradebot-elastic commented Mar 24, 2026

Uh oh!

Uh oh!

Aegrah Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

tradebot-elastic commented Mar 24, 2026

Uh oh!

tradebot-elastic commented Mar 24, 2026

Uh oh!

tradebot-elastic commented Mar 24, 2026

Uh oh!

tradebot-elastic commented Mar 24, 2026

Uh oh!

tradebot-elastic commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Mikaayenson commented Mar 23, 2026 •

edited

Loading

tradebot-elastic commented Mar 24, 2026 •

edited

Loading

tradebot-elastic commented Mar 24, 2026 •

edited

Loading