kqlElastic-2.0from elastic/detection-rules
Interactive Shell Launched via Unusual Parent Process in a Container
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/execution_unusual_interactive_process_inside_container.toml
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.entry_leader.entry_meta.type:container and process.interactive:true and
process.name:(sh or bash or dash or tcsh or csh or zsh or ksh or fish) and
not (
process.parent.name:(dpkg or runc or tini or frontend or elastic-agent or agentbeat or dpkg-query or ansible-playbook or gpgv or apt or apt-get) or
process.parent.command_line:"runc init"
)