Recipes Reference

Learn All Options and Values of Detection Recipes

Required Fields

kind: Unique identifier for the recipe type
name: Name of the specific recipe instance
version: Recipe version (numeric)
description: Brief description
mechanism: Detection mechanism type
breed: Detection category
tactic: MITRE ATTACK tactic
technique: MITRE ATTACK technique
subtechnique: MITRE ATTACK sub-technique
importance: Severity level

File Action Values

Individual Actions:

fasync: File asynchronous operations
flock: File locking operations
fsync: File synchronization
llseek: Low-level seek operations
mmap: Memory mapping operations
open: File open operations
read: File read operations
write: File write operations
rename: File rename operations
truncate: File truncation operations
unlink: File deletion operations
create: File creation operations
close: File close operations
link: Hard link operations
execve: Executable file operations

Action Matching:

how: Specifies how actions should match
- any: Any action matches
- all: All actions must match

Macros (expanded automatically):

Macro vs Actions

fasync

flock

fsync

llseek

mmap

open

read

write

rename

truncate

unlink

create

link

execve

any

✅

open_related

✅

read_related

✅

modify_related

✅

access_related

✅

access_no_mmap_related

✅

tamper_related

✅

Times Kind Values

Limit Type

Scope Description

times_per_proc

Per process

times_per_exe

Per executable

times_per_parent_proc

Per parent process

times_per_parent_exe

Per parent executable

times_per_full_ancestry

Per full process tree

times_per_hostname

Per hostname

times_per_host

Global limit

Classification Values

Mechanism:

file_access
execution
network_peers
baseline

Breed:

file_access
execution
remote_domains
remote_ips
local_domains
local_ips

Importance:

low
medium
high
critical

PreviousCreate Recipes NextBuiltin Recipes

Last updated 3 months ago

Was this helpful?