Skip to content

MITRE ATT&CK v19.0.0#6037

Draft
shashank-elastic wants to merge 4 commits intomainfrom
mitre_update_v19
Draft

MITRE ATT&CK v19.0.0#6037
shashank-elastic wants to merge 4 commits intomainfrom
mitre_update_v19

Conversation

@shashank-elastic
Copy link
Copy Markdown
Contributor

@shashank-elastic shashank-elastic commented May 4, 2026
edited
Loading

Pull Request

Issue link(s): #6035

Summary - What I changed

  • We have added a new CLI command attack migrate-retired-tactics to handle MITRE enterprise tactic name changes (renames, splits, multi-phase techniques) is handled predictably.
  • Filenames only change when there is an explicit legacy tactic name in filename, no noisy blanket renames.

Changes details

Changes Desciption
definitions.py We have added secondary matrix preferences per TAxxxx, legacy filename stems to rewrite.
attack.py Tactic assignment, rebuild from technique IDs, priority tactic list for row order.
devtools.py Remap unknown tactic names, tag cleanup, filename rules, sort for persisted [[rule.threat]].

Principles used

  • ID before name: If tactic.id is still valid in the bundle, prefer that column’s current display name for a technique when MITRE ATT&CK data still lists it there (avoids “lowest TA” stealing rows meant for TA0005→Stealth).
  • Split rows by technique: If one row can’t be a single rename, rebuild from technique IDs with row context + optional secondaries from definitions.
  • Don’t invent filenames: Only swap known legacy basename prefixes (e.g. defense_evasion_); do not prepend stealth_ to every discovery_ / execution_ / privilege_escalation_ file.
  • Row order for threat[0]: Persist sort puts tactics from migration priority (derived from ATTACK_TACTIC_MIGRATION_SECONDARY_MATRIX_PREFERENCES + bundle primary names) ahead of plain alphabetical order—so when renaming is tied to threat[0], it stays same.

Conceptual flow

  • Known tactic name (matches bundledMITRE ATT&CK data): row unchanged unless technique redirects / name drift triggers rebuild.
  • Unknown tactic name (retired label e.g. “Defense Evasion”, typo):
  • No techniques: If tactic.id maps to a live TA → tactic-only row with current display name (e.g. Stealth for TA0005).
  • All techniques still under one current column for that tactic.id: Rename-only (same row shape, new tactic name/URLs).
  • Otherwise: Rebuild from technique IDs:
    -- Prefer matrix bucket matching tactic.id when that technique still lists under it.
    -- Else apply secondary tactic names from definitions for that TA (e.g. Defense Impairment for TA0005).
    -- Else lowest TAxxxx among MITRE ATT&CK data candidates.
  • Tags: strip Tactic: {old} for each remapped old display name from the log; add tags for new tactic names introduced.

How filename changes are handled

  • Only if the stem starts with a prefix from ATTACK_TACTIC_MIGRATION_FILENAME_LEGACY_STEM_PREFIXES (currently defense_evasion_): replace that prefix with threat[0] slug (after migration sort).
  • Otherwise: no automatic rename (avoids stealth_discovery_, persistence_privilege_escalation_, etc.).

How To Test

  • Unit Test to pass
migrate-retired-tactics dry-run

migrate-retired-tactics-dryrun.txt

migrate-retired-tactics

migrate-retired-tactics.txt

update-rules after migrate is the usual “second sweep” so nothing is left half-updated.

Try 1

python -m detection_rules dev attack update-rules
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

'Creation of a DNS-Named Record' requires update - technique name change for tactic 'Credential Access'
'Potential Computer Account NTLM Relay Activity' requires update - technique name change for tactic 'Credential Access'
'Potential Kerberos Relay Attack against a Computer Account' requires update - technique name change for tactic 'Credential Access'
'Potential NTLM Relay Attack against a Computer Account' requires update - technique name change for tactic 'Credential Access'
'Potential Kerberos Coercion via DNS-Based SPN Spoofing' requires update - technique name change for tactic 'Credential Access'
'Potential Kerberos SPN Spoofing via Suspicious DNS Query' requires update - technique name change for tactic 'Credential Access'
'Potential Machine Account Relay Attack via SMB' requires update - technique name change for tactic 'Credential Access'
'Potential PowerShell Pass-the-Hash/Relay Script' requires update - technique name change for tactic 'Credential Access'

When sub-technique LLMNR/NBT-NS Poisoning and SMB Relay was renamed to Name Resolution Poisoning and SMB Relay

Try 2

python -m detection_rules dev attack update-rules
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No rule changes needed

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@shashank-elastic shashank-elastic self-assigned this May 4, 2026
@shashank-elastic shashank-elastic added the enhancement New feature or request label May 4, 2026
@botelastic botelastic Bot added python Internal python for the repository schema labels May 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@shashank-elastic shashank-elastic marked this pull request as draft May 4, 2026 10:08
@shashank-elastic shashank-elastic linked an issue May 4, 2026 that may be closed by this pull request
[FR] Migrate rules from retired Defense Evasion tactic (Stealth TA0005 / Defense Impairment TA0112) #6035
Open
3 tasks
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented May 4, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Credential Access via Windows Utilities (eql)
  • ❌ System Binary Path File Permission Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Memory Threat - Detected - Elastic Defend (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AppArmor Policy Violation Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Escalation via Vulnerable MSI Repair (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Microsoft Antimalware Service Execution (eql)
  • ❌ System Path File Creation and Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Conhost Spawned By Suspicious Parent Process (eql)
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ❌ Memory Threat - Prevented- Elastic Defend (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Hidden Child Process of Launchd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Node.js Pre or Post-Install Script Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Launch Agent or Daemon (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ File Creation, Execution and Self-Deletion in Suspicious Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Processes with Trailing Spaces (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hex Payload Execution via Common Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SIP Check by macOS Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Attack via Bifrost (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare AWS Error Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Server Update Service Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ BPF Program Tampering via bpftool (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hex Payload Execution via Command-Line (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Sudo Chroot Execution Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Antimalware Scan Interface Bypass via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in World-Writable Directory by Unusual Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encoded Payload Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via Built-in Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unknown Execution of Binary with RWX Memory Region (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NTLM Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity Detected via Kworker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Suspicious DebugFS Root Device Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via Doas (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Kernel Ring Buffer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Network Connection via GDB CAP_SYS_PTRACE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
  • ❌ BPF Program or Map Load via bpftool (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Access via Direct System Call (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Injection via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a Hidden Local User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable Syslog Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Timestomping using Touch Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious File Made Executable via Chmod Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Bypass UAC via Event Viewer (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection from Binary with RWX Memory Region (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Directory Creation in /bin directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution via Electron Child Process Node.js Module (eql)
  • ✅ Port Forwarding Rule Addition (eql)
  • ❌ File System Debugger Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started from Process ID (PID) File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious ImagePath Service Creation (eql)
  • ❌ Command Obfuscation via Unicode Modifier Letters (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disabling Lsa Protection via Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WDAC Policy File by an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSH Authorized Keys File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Binary Executed from Shared Memory Directory (eql)
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Control Panel Process with Unusual Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Local User Account Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ✅ Potential Local NTLM Relay via HTTP (eql)
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Agent Spoofing - Multiple Hosts Using Same Agent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Federated Identity Credential Issuer Modified (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Attempt to Disable Gatekeeper (eql)
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Files and Directories via Hidden Flag (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Shell Execution via Busybox (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement with MMC (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Restricted Shell Breakout via Linux Binary(s) (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Modifying GenAI Configuration File (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ROT Encoded Python Script Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-33053 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder SDProp Exclusion Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement via MSHTA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Suspicious Launch Agent or Launch Daemon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Backgrounded by Unusual Parent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Safari Settings via Defaults Command (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution from Kernel Thread (kthreadd) Parent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WebServer Access Logs Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Process Hooking via GDB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Process Terminations (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable Auditd Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ❌ Suspicious Curl from macOS Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Attempt to Unload Elastic Endpoint Security Kernel Extension (eql)
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Creation - Alternate Data Stream (eql)
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Environment Variable via Unsigned or Untrusted Parent (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Long Base64 Encoded Command via Scripting Interpreter (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Sudoers File Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tampering of Shell Command-Line History (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kworker UID Elevation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Stop, Start, and User Data Modification Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential PowerShell Obfuscated Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For an AWS Command (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Gatekeeper Override and Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Write Attempt to AppArmor Policy Management Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Invocation from Command Line (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable IPTables or Firewall (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Symbolic Link Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGID Bit Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via PKEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User or Group Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sudoers File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Pass-the-Hash/Relay Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File made Immutable by Chattr (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DebugFS Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential HTTP Downgrade Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from Foomatic-rip or Cupsd Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access Control List Modification via setfacl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos SPN Spoofing via Suspicious DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Potential Credential Access via Trusted Developer Utility (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta AiTM Session Cookie Replay (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Permission Modification in Writable Directory (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ File Deletion via Shred (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SolarWinds Web Help Desk Java Module Load or Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution via GitHub Actions Runner (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell History Clearing via Environment Variables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via OpenClaw Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Hidden Run Key Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Login Hook (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPS Office Exploitation via DLL Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Suspicious Managed Code Hosting Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity Detected via cat (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Timestomping using Touch Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ TCC Bypass via Mounted APFS Snapshot Access (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Creation or Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GenAI Process Compiling or Generating Executables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Elastic Agent Service Terminated (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Invoke-NinjaCopy script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install Root Certificate (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Print Spooler Point and Print DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Privacy Control Bypass via Localhost Secure Copy (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GenAI Process Performing Encoding/Chunking Prior to Network Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by an Office Application (eql)
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting via Grep (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Startup Shell Folder Modification (eql)
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormal Process ID or Lock File Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Command-Line History Deletion Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Curl or Wget Egress Network Connection via LoLBin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Microsoft Office Sandbox Evasion (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AppArmor Profile Compilation via apparmor_parser (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ❌ AppArmor Policy Interface Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load from Unusual Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via Windir Environment Variable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of WDigest Security Provider (eql)
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Apple Mail Rule Plist Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Machine Account Relay Attack via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Content Extracted or Decompressed via Funzip (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install or Run Kali Linux via WSL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Process from a System Virtual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base16 or Base32 Encoding/Decoding Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential privilege escalation via CVE-2022-38028 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full Disk Access Permission Check (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious .NET Reflection via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Hidden Plist Filename (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution via Microsoft Common Console File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Outbound Network Connection via Unsigned Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection by Cups or Foomatic-rip Child (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Executable File Creation by a System Critical Process (eql)
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Disabling of SELinux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ IIS HTTP Logging Disabled (eql)
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privacy Control Bypass via TCCDB Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ BPF filter applied using TC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Processes of RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Quarantine Attrib Removed by Unsigned or Untrusted Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Login Item via Apple Script (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Masquerading Space After Filename (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ SoftwareUpdate Preferences Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AWS KMS Key Policy Updated via PutKeyPolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of AmsiEnable Registry Key (eql)
  • ❌ Untrusted DLL Loaded by Azure AD Connect Authentication Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Antimalware Scan Interface DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Disabling of AppArmor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Instrumentation Discovery via kprobes and tracefs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dylib Injection via Process Environment Variables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ System Binary Moved or Copied (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious JavaScript Execution via Deno (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Token Manipulation via Process Injection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious TCC Access Granted for User Folders (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@shashank-elastic shashank-elastic marked this pull request as ready for review May 4, 2026 13:52
Mikaayenson
Mikaayenson reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#6035 (comment)

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented May 4, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Credential Access via Windows Utilities (eql)
  • ❌ System Binary Path File Permission Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Memory Threat - Detected - Elastic Defend (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AppArmor Policy Violation Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Escalation via Vulnerable MSI Repair (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Microsoft Antimalware Service Execution (eql)
  • ❌ System Path File Creation and Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Conhost Spawned By Suspicious Parent Process (eql)
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ❌ Memory Threat - Prevented- Elastic Defend (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Hidden Child Process of Launchd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Node.js Pre or Post-Install Script Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Launch Agent or Daemon (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ File Creation, Execution and Self-Deletion in Suspicious Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Processes with Trailing Spaces (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hex Payload Execution via Common Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Command Line Entropy Detected for Privileged Commands (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SIP Check by macOS Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Attack via Bifrost (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Powershell Script (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare AWS Error Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Server Update Service Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ BPF Program Tampering via bpftool (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hex Payload Execution via Command-Line (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Sudo Chroot Execution Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Sudo Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Antimalware Scan Interface Bypass via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in World-Writable Directory by Unusual Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encoded Payload Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via Built-in Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unknown Execution of Binary with RWX Memory Region (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NTLM Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity Detected via Kworker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Suspicious DebugFS Root Device Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Update Orchestrator Service Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via Doas (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Kernel Ring Buffer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Network Connection via GDB CAP_SYS_PTRACE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
  • ❌ BPF Program or Map Load via bpftool (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Access via Direct System Call (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual GCP Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Injection via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a Hidden Local User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable Syslog Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Timestomping using Touch Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious File Made Executable via Chmod Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Bypass UAC via Event Viewer (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection from Binary with RWX Memory Region (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Directory Creation in /bin directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution via Electron Child Process Node.js Module (eql)
  • ✅ Port Forwarding Rule Addition (eql)
  • ❌ File System Debugger Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started from Process ID (PID) File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious ImagePath Service Creation (eql)
  • ❌ Command Obfuscation via Unicode Modifier Letters (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Suspicious File Edit (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disabling Lsa Protection via Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WDAC Policy File by an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSH Authorized Keys File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Binary Executed from Shared Memory Directory (eql)
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Control Panel Process with Unusual Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Local User Account Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential snap-confine Privilege Escalation via CVE-2026-3888 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ✅ Potential Local NTLM Relay via HTTP (eql)
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Agent Spoofing - Multiple Hosts Using Same Agent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Federated Identity Credential Issuer Modified (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Attempt to Disable Gatekeeper (eql)
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Files and Directories via Hidden Flag (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Shell Execution via Busybox (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement with MMC (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Restricted Shell Breakout via Linux Binary(s) (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Linux Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare GCP Audit Failure Event Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Host (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Modifying GenAI Configuration File (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ROT Encoded Python Script Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-33053 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder SDProp Exclusion Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement via MSHTA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Suspicious Launch Agent or Launch Daemon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Backgrounded by Unusual Parent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Safari Settings via Defaults Command (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution from Kernel Thread (kthreadd) Parent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WebServer Access Logs Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Process Hooking via GDB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Process Terminations (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via TelemetryController Scheduled Task Hijack (eql)
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable Auditd Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ❌ Suspicious Curl from macOS Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Special Privilege Use Events (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Attempt to Unload Elastic Endpoint Security Kernel Extension (eql)
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Creation - Alternate Data Stream (eql)
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Environment Variable via Unsigned or Untrusted Parent (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Long Base64 Encoded Command via Scripting Interpreter (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Sudoers File Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tampering of Shell Command-Line History (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kworker UID Elevation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Stop, Start, and User Data Modification Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential PowerShell Obfuscated Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For an AWS Command (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Gatekeeper Override and Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Azure Activity Logs Event for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Write Attempt to AppArmor Policy Management Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Invocation from Command Line (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Disable IPTables or Firewall (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Hijacking (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via DirectoryService Plugin Modification (eql)
  • ❌ Suspicious Symbolic Link Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGID Bit Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via PKEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User or Group Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sudoers File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Pass-the-Hash/Relay Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File made Immutable by Chattr (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DebugFS Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential HTTP Downgrade Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from Foomatic-rip or Cupsd Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access Control List Modification via setfacl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos SPN Spoofing via Suspicious DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Potential Credential Access via Trusted Developer Utility (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta AiTM Session Cookie Replay (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Permission Modification in Writable Directory (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ File Deletion via Shred (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SolarWinds Web Help Desk Java Module Load or Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution via GitHub Actions Runner (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell History Clearing via Environment Variables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via OpenClaw Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Hidden Run Key Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Login Hook (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPS Office Exploitation via DLL Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS Command for a User (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Suspicious Managed Code Hosting Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Decline in host-based traffic (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity Detected via cat (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Timestomping using Touch Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ TCC Bypass via Mounted APFS Snapshot Access (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Creation or Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GenAI Process Compiling or Generating Executables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Elastic Agent Service Terminated (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Invoke-NinjaCopy script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Windows Network Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install Root Certificate (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Print Spooler Point and Print DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Privacy Control Bypass via Localhost Secure Copy (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Azure Activity Logs Event Failures (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GenAI Process Performing Encoding/Chunking Prior to Network Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pod or Container Creation with Suspicious Command-Line (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Build Engine Started by an Office Application (eql)
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting via Grep (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Startup Shell Folder Modification (eql)
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormal Process ID or Lock File Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Anomalous Linux Compiler Activity (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City for an Azure Activity Logs Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Command-Line History Deletion Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Curl or Wget Egress Network Connection via LoLBin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Microsoft Office Sandbox Evasion (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AppArmor Profile Compilation via apparmor_parser (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ❌ AppArmor Policy Interface Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load from Unusual Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via Windir Environment Variable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of WDigest Security Provider (eql)
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Apple Mail Rule Plist Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Machine Account Relay Attack via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Content Extracted or Decompressed via Funzip (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Country For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install or Run Kali Linux via WSL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Process from a System Virtual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base16 or Base32 Encoding/Decoding Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential privilege escalation via CVE-2022-38028 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in Successful Logon Events from a Source IP (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full Disk Access Permission Check (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious .NET Reflection via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Hidden Plist Filename (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution via Microsoft Common Console File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Outbound Network Connection via Unsigned Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection by Cups or Foomatic-rip Child (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Executable File Creation by a System Critical Process (eql)
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned by a Parent Process (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Disabling of SELinux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ IIS HTTP Logging Disabled (eql)
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privacy Control Bypass via TCCDB Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ BPF filter applied using TC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Processes of RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Quarantine Attrib Removed by Unsigned or Untrusted Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual City For a GCP Event (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Login Item via Apple Script (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Parent Process Detected with Suspicious Windows Process(es) (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Masquerading Space After Filename (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ SoftwareUpdate Preferences Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ AWS KMS Key Policy Updated via PutKeyPolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of AmsiEnable Registry Key (eql)
  • ❌ Untrusted DLL Loaded by Azure AD Connect Authentication Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Antimalware Scan Interface DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Disabling of AppArmor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Instrumentation Discovery via kprobes and tracefs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dylib Injection via Process Environment Variables (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ System Binary Moved or Copied (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious JavaScript Execution via Deno (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Token Manipulation via Process Injection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious TCC Access Granted for User Folders (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@shashank-elastic shashank-elastic marked this pull request as draft May 4, 2026 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson left review comments

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@shashank-elastic shashank-elastic

Labels

backport: auto Domain: Cloud Domain: Endpoint enhancement New feature or request Integration: AWS AWS related rules Integration: Azure azure related rules Integration: Endpoint Elastic Endpoint Security Integration: GCP GCP related rules Integration: Google Workspace Integration: Microsoft 365 Integration: Okta okta related rules minor ML machine learning related rule OS: Linux python Internal python for the repository schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FR] Migrate rules from retired Defense Evasion tactic (Stealth TA0005 / Defense Impairment TA0112)

3 participants

@shashank-elastic @tradebot-elastic @Mikaayenson