kqlElastic-2.0from elastic/detection-rules
Linux Clipboard Activity Detected
Quality
92
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/linux/collection_linux_clipboard_activity.toml
event.category:process and host.os.type:"linux" and event.type:"start" and
event.action:("exec" or "exec_event" or "executed" or "process_started" or "start") and
process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") and
not process.parent.name:("bwrap" or "micro")