- SIEM Guide:
- Overview
- Get up and running
- SIEM UI
- Anomaly Detection with Machine Learning
- Detections (Beta)
- Managing signal detection rules
- Detections API
- Prebuilt rule reference
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endpoint
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Credential Dumping - Detected - Elastic Endpoint
- Credential Dumping - Prevented - Elastic Endpoint
- Credential Manipulation - Detected - Elastic Endpoint
- Credential Manipulation - Prevented - Elastic Endpoint
- DNS Activity to the Internet
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Execution via Signed Binary
- Exploit - Detected - Elastic Endpoint
- Exploit - Prevented - Elastic Endpoint
- FTP (File Transfer Protocol) Activity to the Internet
- Hping Process Activity
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint
- Malware - Prevented - Elastic Endpoint
- Mknod Process Activity
- MsBuild Making Network Connections
- Netcat Network Activity
- Network Connection via Compiled HTML File
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Elastic Endpoint
- Permission Theft - Prevented - Elastic Endpoint
- Persistence via Kernel Module Modification
- Potential Application Shimming via Sdbinst
- Potential DNS Tunneling via Iodine
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Elastic Endpoint
- Process Injection - Prevented - Elastic Endpoint
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint
- Ransomware - Prevented - Elastic Endpoint
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Socat Process Activity
- Strace Process Activity
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Process spawning from Script Interpreter
- Suspicious Script Object Execution
- Svchost spawning cmd.exe
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual Network Connection via RunDLL32
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process Network Connection
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows Script Executing PowerShell
- Tuning prebuilt detection rules
- Prebuilt rules version history
A newer version is available. For the latest information, see the
current release documentation.
Prepackaged rules
editPrepackaged rules
editThe prepackaged endpoint is for retrieving rule statuses and loading Elastic prebuilt detection rules.
Load prepackaged rules
editLoads and updates Elastic prebuilt rules.
By default, all loaded prebuilt rules are disabled.
On this page
Was this helpful?
Thank you for your feedback.