kqlElastic-2.0from elastic/detection-rules
File Creation in /var/log via Suspicious Process
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
event.category:file and host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
(process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or ./* or /boot/*) or process.name:.*) and
file.path:/var/log/* and not file.extension:* and
not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install/vmware-installer/vmis-launcher or /tmp/ubuntu-release-upgrader-*)