Last updated
Last updated
flow
Captures and logs network flow data, including source and destination addresses, ports, and protocols
capabilities_modification
Detects changes to file capabilities
code_modification_through_procfs
Detects code modifications via /proc
core_pattern_access
Monitors access to core pattern configurations
cpu_fingerprint
Identifies unique CPU fingerprints for anomaly detection
credentials_files_access
Tracks access to credential files
filesystem_fingerprint
Detects changes in filesystem signatures
java_debug_lib_load
Monitors loading of Java debug libraries
java_instrument_lib_load
Tracks loading of Java instrumentation libraries
machine_fingerprint
Identifies unique machine fingerprints
os_fingerprint
Detects changes in OS signatures
os_network_fingerprint
Monitors OS network-related fingerprints
os_status_fingerprint
Tracks OS status changes
package_repo_config_modification
Detects modifications in package repository configurations
pam_config_modification
Monitors changes to PAM configurations
sched_debug_access
Detects access to scheduler debug interfaces
shell_config_modification
Tracks changes to shell configurations
ssl_certificate_access
Monitors access to SSL certificates
sudoers_modification
Detects changes to sudoers files
sysrq_access
Tracks access to sysrq functionalities
unprivileged_bpf_config_access
Detects access to unprivileged BPF configurations
global_shlib_modification
Monitors modifications to global shared libraries
environ_read_from_procfs
Detects environment variables reading from procfs
binary_self_deletion
Detects executable self-deletion
crypto_miner_files
Detects access to files related to crypto mining
auth_logs_tamper
Detects authentication log files tampering
binary_executed_by_loader
Detects binaries executed via the ELF loader
code_on_the_fly
Monitors dynamic code execution
denial_of_service_tools
Detects the use of denial-of-service tools
exec_from_unusual_dir
Tracks executions from non-standard directories
file_attribute_change
Detects changes to file attributes
hidden_elf_exec
Identifies hidden ELF executions
interpreter_shell_spawn
Monitors the spawning of interpreter shells
net_filecopy_tool_exec
Detects the execution of network file copy tools
net_mitm_tool_exec
Identifies man-in-the-middle network tool executions
net_scan_tool_exec
Detects network scanning tool executions
net_sniff_tool_exec
Monitors the use of network sniffing tools
net_suspicious_tool_exec
Detects suspicious network tool executions
net_suspicious_tool_shell
Identifies suspicious tool shells in network contexts
passwd_usage
Tracks the usage of the passwd command
runc_suspicious_exec
Detects suspicious executions related to runc
webserver_exec
Detects web server daemon startup
webserver_shell_exec
Detects shell spawned by webserver
crypto_miner_execution
Detects execution of crypto miners
adult_domain_access
Detects access to adult content domains
badware_domain_access
Detects access to known malware or suspicious domains
dyndns_domain_access
Detects access to dynamic DNS services
fake_domain_access
Detects access to fake or spoofed domains
gambling_domain_access
Detects access to gambling-related domains
piracy_domain_access
Detects access to piracy-related domains
plaintext_communication
Detects unencrypted network communications
threat_domain_access
Detects access to known threat domains
tracking_domain_access
Detects access to tracking and analytics domains
vpnlike_domain_access
Detects access to VPN-like service domains
dropip
Alerts when network flows are dropped by existing policy due to CIDR or domain name restrictions
dropdomain
Alerts when domain resolutions are dropped by existing policy due to domain name restrictions
