kqlElastic-2.0from elastic/detection-rules
Privileged Docker Container Creation
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/execution_potentially_overly_permissive_container_creation.toml
host.os.type:linux and event.category:process and event.type:start and
event.action:(exec or exec_event or start) and
process.name:docker and process.args:(run and --privileged)