Deprecated prebuilt detection rules

Cloud

Deprecated - AWS EC2 Snapshot Activity
Deprecated - AWS EC2 VM Export Failure
Deprecated - AWS ElastiCache Security Group Created
Deprecated - AWS ElastiCache Security Group Modified or Deleted
Deprecated - AWS RDS Cluster Creation
Deprecated - AWS RDS Instance Creation
Deprecated - AWS RDS Instance/Cluster Stoppage
Deprecated - AWS RDS Security Group Creation
Deprecated - AWS RDS Security Group Deletion
Deprecated - AWS Redshift Cluster Creation
Deprecated - AWS Root Login Without MFA
Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
Deprecated - Azure Virtual Network Device Modified or Deleted
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

Container

Deprecated - SSH Connection Established Inside A Running Container
Deprecated - SSH Process Launched From Inside A Container
Deprecated - SSH Process Launched From Inside A Container via Elastic Defend

Endpoint

Deprecated - CAP_SYS_ADMIN Assigned to Binary
Deprecated - Creation of Kernel Module
Deprecated - Execution of File Written or Modified by PDF Reader
Deprecated - LaunchDaemon Creation or Modification and Immediate Loading
Deprecated - Modification of Standard Authentication Module or Configuration
Deprecated - Network Connection via Sudo Binary
Deprecated - Potential DNS Tunneling via Iodine
Deprecated - Potential Non-Standard Port HTTP/HTTPS connection
Deprecated - Potential Non-Standard Port SSH connection
Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected
Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
Deprecated - Potential Protocol Tunneling via Chisel Server
Deprecated - Potential Pspy Process Monitoring Detected
Deprecated - Potential Reverse Shell via Suspicious Parent Process
Deprecated - Potential Successful Linux FTP Brute Force Attack Detected
Deprecated - Potential Successful Linux RDP Brute Force Attack Detected
Deprecated - Potential curl CVE-2023-38545 Exploitation
Deprecated - Process Termination followed by Deletion
Deprecated - Remote File Creation on a Sensitive Directory
Deprecated - Suspicious File Creation in /etc for Persistence
Deprecated - Suspicious JAVA Child Process
Deprecated - Suspicious Renaming of ESXI index.html File
Malicious Remote File Creation
Potential Linux Reverse Connection through Port Knocking
Potential Process Herpaderping Attempt
Potential SSH Brute Force Detected on Privileged Account
Reverse Shell Created via Named Pipe
Suspicious File Changes Activity Detected
Suspicious Network Connection Attempt by Root

Unspecified

AWS RDS Snapshot Export
Attempt to Disable IPTables or Firewall
Auditd Login Attempt at Forbidden Time
Auditd Login from Forbidden Location
Auditd Max Failed Login Attempts
Auditd Max Login Sessions
Base64 Encoding/Decoding Activity
DNS Activity to the Internet
Deprecated - Agent Spoofing - Mismatched Agent ID
Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match
Deprecated - Threat Intel Indicator Match
Execution via Regsvcs/Regasm
FTP (File Transfer Protocol) Activity to the Internet
File and Directory Discovery
GCP Kubernetes Rolebindings Created or Patched
Google Workspace User Group Access Modified to Allow External Access
Hex Encoding/Decoding Activity
IRC (Internet Relay Chat) Protocol Activity to the Internet
Linux Restricted Shell Breakout via apt/apt-get Changelog Escape
Linux Restricted Shell Breakout via awk Commands
Linux Restricted Shell Breakout via busybox Shell Evasion
Linux Restricted Shell Breakout via c89/c99 Shell evasion
Linux Restricted Shell Breakout via cpulimit Shell Evasion
Linux Restricted Shell Breakout via crash Shell evasion
Linux Restricted Shell Breakout via env Shell Evasion
Linux Restricted Shell Breakout via flock Shell evasion
Linux Restricted Shell Breakout via the SSH command
Linux Restricted Shell Breakout via the expect command
Linux Restricted Shell Breakout via the find command
Linux Restricted Shell Breakout via the gcc command
Linux Restricted Shell Breakout via the mysql command
Linux Restricted Shell Breakout via the vi command
Mknod Process Activity
Network Connection via Mshta
Network Sniffing via Tcpdump
Nmap Process Activity
PPTP (Point to Point Tunneling Protocol) Activity
Persistence via Kernel Module Modification
Potential Cross Site Scripting (XSS)
Potential Persistence via Cron Job
Potential PrintNightmare Exploit Registry Modification
Potential PrintNightmare File Modification
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Potential Shell via Web Server
PowerShell spawning Cmd
Process Discovery via Tasklist
Proxy Port Activity to the Internet
Query Registry via reg.exe
RDP (Remote Desktop Protocol) to the Internet
SMTP to the Internet
SQL Traffic to the Internet
SSH (Secure Shell) from the Internet
SSH (Secure Shell) to the Internet
Setgid Bit Set via chmod
Socat Process Activity
Strace Process Activity
Suspicious Process from Conhost
TCP Port 8000 Activity to the Internet
Threat Intel Filebeat Module (v7.x) Indicator Match
Tor Activity to the Internet
Trusted Developer Application Usage
Unusual Process Execution - Temp
User Discovery via Whoami
Web Application Suspicious Activity: No User Agent
Whitespace Padding in Process Command Line