The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Prebuilt rule changes per release
editPrebuilt rule changes per release
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule’s changes, see the rule’s description page.
7.8.0
editThese prebuilt rules have been updated:
7.7.0
editThese prebuilt rules have been removed:
- Execution via Signed Binary
- Suspicious Process spawning from Script Interpreter
- Suspicious Script Object Execution
These prebuilt rules have been updated:
- Adding Hidden File Attribute via Attrib
- Adversary Behavior - Detected - Elastic Endpoint
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Credential Dumping - Detected - Elastic Endpoint
- Credential Dumping - Prevented - Elastic Endpoint
- Credential Manipulation - Detected - Elastic Endpoint
- Credential Manipulation - Prevented - Elastic Endpoint
- DNS Activity to the Internet
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Exploit - Detected - Elastic Endpoint
- Exploit - Prevented - Elastic Endpoint
- FTP (File Transfer Protocol) Activity to the Internet
- Hping Process Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint
- Malware - Prevented - Elastic Endpoint
- Mknod Process Activity
- MsBuild Making Network Connections
- Netcat Network Activity
- Network Connection via Compiled HTML File
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- Permission Theft - Detected - Elastic Endpoint
- Permission Theft - Prevented - Elastic Endpoint
- Persistence via Kernel Module Modification
- Potential DNS Tunneling via Iodine
- Potential Modification of Accessibility Binaries
- Process Injection - Detected - Elastic Endpoint
- Process Injection - Prevented - Elastic Endpoint
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint
- Ransomware - Prevented - Elastic Endpoint
- SMB (Windows File Sharing) Activity to the Internet
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Socat Process Activity
- Strace Process Activity
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual Network Connection via RunDLL32
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process Network Connection
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Windows Script Executing PowerShell
7.6.2
editThis prebuilt rule has been updated:
7.6.1
editThese prebuilt rules have been updated:
- DNS Activity to the Internet
- FTP (File Transfer Protocol) Activity to the Internet
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Potential Shell via Web Server
- Proxy Port Activity to the Internet
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Tor Activity to the Internet
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet