Adversary Behavior - Detected - Elastic Endgame
Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2024/01/17"
7promotion = true
8
9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the
13link in the rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Adversary Behavior - Detected - Elastic Endgame"
22risk_score = 47
23rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
24severity = "medium"
25tags = ["Data Source: Elastic Endgame"]
26type = "query"
27timestamp_override = "event.ingested"
28
29query = '''
30event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)
31'''
Related rules
- Credential Dumping - Detected - Elastic Endgame
- Credential Dumping - Prevented - Elastic Endgame
- Credential Manipulation - Detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame
- Exploit - Detected - Elastic Endgame