Recipes Reference

Learn All Options and Values of Detection Recipes

Required Fields

  • kind: Unique identifier for the recipe type

  • name: Name of the specific recipe instance

  • version: Recipe version (numeric)

  • description: Brief description

  • mechanism: Detection mechanism type

  • breed: Detection category

  • tactic: MITRE ATTACK tactic

  • technique: MITRE ATTACK technique

  • subtechnique: MITRE ATTACK sub-technique

  • importance: Severity level

File Action Values

Individual Actions:

  • fasync: File asynchronous operations

  • flock: File locking operations

  • fsync: File synchronization

  • llseek: Low-level seek operations

  • mmap: Memory mapping operations

  • open: File open operations

  • read: File read operations

  • write: File write operations

  • rename: File rename operations

  • truncate: File truncation operations

  • unlink: File deletion operations

  • create: File creation operations

  • close: File close operations

  • link: Hard link operations

  • execve: Executable file operations

Action Matching:

  • how: Specifies how actions should match

    • any: Any action matches

    • all: All actions must match

Macros (expanded automatically):

Macro vs Actions
fasync
flock
fsync
llseek
mmap
open
read
write
rename
truncate
unlink
create
close
link
execve

any

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

open_related

βœ…

βœ…

read_related

βœ…

βœ…

βœ…

modify_related

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

access_related

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

access_no_mmap_related

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

βœ…

tamper_related

βœ…

βœ…

βœ…

βœ…

Times Kind Values

Limit Type
Scope Description

times_per_proc

Per process

times_per_exe

Per executable

times_per_parent_proc

Per parent process

times_per_parent_exe

Per parent executable

times_per_full_ancestry

Per full process tree

times_per_hostname

Per hostname

times_per_host

Global limit

Classification Values

Mechanism:

  • file_access

  • execution

  • network_peers

  • baseline

Breed:

  • file_access

  • execution

  • remote_domains

  • remote_ips

  • local_domains

  • local_ips

Importance:

  • low

  • medium

  • high

  • critical

Last updated