kqlElastic-2.0from elastic/detection-rules
RPM Package Installed by Unusual Parent Process
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and
process.args:("-i" or "--install")