kqlElastic-2.0from elastic/detection-rules
Unusual Preload Environment Variable Process Execution
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/defense_evasion_unusual_preload_env_vars.toml
event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:* and
not (
process.parent.executable:(/snap/* or "/opt/infraonagent/infraonwindowsagent" or "/worker/Capa/capa") or
process.parent.name:"cmk-update-agent"
)