kqlElastic-2.0from elastic/detection-rules
AWS CLI Command with Custom Endpoint URL
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/command_and_control_aws_cli_endpoint_url_used.toml
host.os.type:"linux" and event.category:"process" and
event.action:("exec" or "exec_event" or "executed" or "process_started" or "ProcessRollup2") and
process.name:"aws" and process.args:"--endpoint-url"