Tag
critical
advisory
Multiple Rare Elastic Defend Behavior Rules Triggered on Single Host
2 rules 8 TTPsThis rule identifies hosts triggering multiple distinct, globally rare Elastic Defend behavior rules, increasing the likelihood of detecting compromised hosts while reducing false positives.
threat-detection
higher-order-rule
elastic-defend
2r
8t
critical
advisory
Elastic Defend Alert from Package Manager Install Ancestry
3 rules 1 TTPThis rule detects Elastic Defend alerts where the alerted process has a package-manager install context in its ancestry (npm, PyPI, Rust), indicating potential supply chain compromise via malicious postinstall scripts.
supply-chain
initial-access
package-manager
elastic-defend
post-install
3r
1t
low
advisory
Unusual Process Writing Data to an External Device via Machine Learning
2 rules 1 TTPA machine learning job detects a rare process writing data to an external device, potentially indicating data exfiltration masked by benign-looking processes.
data-exfiltration
machine-learning
elastic-defend
2r
1t