Tag
high
threat
Suspicious Web Server Child Process Execution via Elastic Defend for Containers
2 rules 3 TTPsThis rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.
Elastic Defend for Containers
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Tactic: Command and Control
Resources: Investigation Guide
2r
3t
critical
advisory
LLM-Based Compromised User Triage
2 rules 2 TTPsThis rule correlates multiple security alerts involving the same user, analyzes them with an LLM, and flags potentially compromised accounts based on MITRE tactics, geographic anomalies, and multi-host activity, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.
Elastic Cloud
Domain: Identity
Domain: LLM
Use Case: Threat Detection
Use Case: Identity and Access Audit
Resources: Investigation Guide
Rule Type: Higher-Order Rule
2r
2t