Skip to content

List of Detection Categories and their Individual Detections - 4.3.0

This section lists three categories of Detections:

  • Detection Analytics
  • Smart Policy
  • Audit

You can find an overview of each of those categories here.

Note

Any detections listed in italics are disabled by default, and must be manually enabled. To enable a disabled detection, see Adjusting default detections.

Detection Analytics

Below is a list of the detection classes bundled in Detection Analytics, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown. 

Application Exploitation

Memory Corruption

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Memory Marked ExecutableDisabled

Alerts when a program sets heap or stack memory permissions to executable.

None

T1203

T1190

Repeated Program CrashesEnabled

Alerts when more than 5 instances of an individual program crash via segmentation fault.

None

T1203

T1190

Userfaultfd UsageEnabled

Alerts when a newly-created binary executes the userfaultfd system call, which is commonly used during exploitation. This detection won't fire unless the New File Executed or New File Executed in Container detections are enabled, and will only alert for kernels that support userfaultfd (kernels 4.3+)

None

T1203


New File Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File Executed in ContainerDisabled

Alerts when a file that has been created or modified within 30 minutes is then executed within a container.

Can cause a negative performance impact on file-heavy workloads.

T1190

Userfaultfd UsageEnabled

Alerts when a newly-created binary executes the userfaultfd system call, which is commonly used during exploitation. This detection won't fire unless the New File Executed or New File Executed in Container detections are enabled, and will only alert for kernels that support userfaultfd (kernels 4.3+)

None

T1203


Unusual Application Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Compromised Shell Session DetectedDisabled

Alerts if a shell has executed several commands common to post-exploitation discovery activities.

None

T1059

New File Executed in ContainerDisabled

Alerts when a file that has been created or modified within 30 minutes is then executed within a container.

Can cause a negative performance impact on file-heavy workloads.

T1190

Repeated Program CrashesEnabled

Alerts when more than 5 instances of an individual program crash via segmentation fault.

None

T1203

T1190

Suspicious Interactive ShellEnabled

Alerts when an interactive shell is started with arguments commonly used for reverse shells.

None

T1059

T1190

Suspicious Interactive Shell AdvancedDisabled

Alerts when an interactive shell is started with arguments commonly used for reverse shells, started in a container, or started as a child of a network service that is not SSH.

None

T1059

T1190


Persistence

Kernel Backdoors

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
BPF Program ExecutedEnabled

Alerts when a BPF program is loaded by a process that is already part of an ongoing incident. This could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection.

None

T1014

T1215

Kernel Module LoadedEnabled

Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.

None

T1014

T1215


Userland Backdoors

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Suspicious Program Name Executed-Space After FileEnabled

Alerts when a program is executed with a space after the program name, commonly used to masquerade as a legitimate system service.

None

T1151


System Exploitation

Common Kernel Exploitation Methods

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Illegal Elevation Of PrivilegesDisabled

Alerts when a program attempts to elevate privileges through unusual means.

None

T1068

Kernel ExploitEnabled

Alerts when a kernel function unexpectedly returns to userland.

None

T1212

T1211

T1068

Processor-Level Protections DisabledEnabled

Alerts when a program tampers with the kernel SMEP/SMAP configuration.

This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.

T1089


Container Escapes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Container Escape via Kernel ExploitationEnabled

Alerts when a program uses kernel functions commonly used in container escape exploits.

None

T1212

T1211

T1068

RunC Container EscapeDisabled

Alerts when a modification is detected of the runc binary by a non-package manager, such as with CVE-2019-5736

Can cause a negative performance impact on file-heavy workloads.

T1068

Userland Container EscapeEnabled

Alerts when a container-created file is executed from the host namespace, which indicates a possible container escape

None

T1068


Privilege Escalation

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Illegal Elevation Of PrivilegesDisabled

Alerts when a program attempts to elevate privileges through unusual means.

None

T1068


Tampering of Security Mechanisms

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
AppArmor Disabled In KernelEnabled

Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.

If the kernel in use doesn't use AppArmor, an error may be logged for this detection when the sensor starts.

T1089

AppArmor Profile ModifiedEnabled

Alerts when a command for modifying an AppArmor profile is executed, if it was not disabled by a user in an SSH session.

None

T1089

Processor-Level Protections DisabledEnabled

Alerts when a program tampers with the kernel SMEP/SMAP configuration.

This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.

T1089

SELinux Disabled In KernelEnabled

Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts. This indicates that SELinux has been disabled by a kernel exploit or rootkit.

If the kernel in use doesn't use SELinux, an error may be logged for this detection when the sensor starts.

T1089

SELinux Enforcement Mode Disabled From UserlandEnabled

Alerts when SELinux enforcement mode is disabled.

None

T1089


Smart Policy 

Below is a list of the detection classes bundled in Smart Policy, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.


File Activity

Changes to System Binaries

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Boot Files ModifiedDisabled

Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.

Can cause a negative performance impact on file-heavy workloads.

T1067


Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Root Certificate Store ModifiedDisabled

Alerts when a system CA certificate store is changed.

Can cause a negative performance impact on file-heavy workloads.

T1130


Indicator Removal

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Log Files DeletedDisabled

Alerts on deletion of log files.

Can cause a negative performance impact on file-heavy workloads.

T1107

T1070


New File Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Privileged File Operations

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Setuid/Setgid Bit Set On FileEnabled

Alerts when the setuid or setgid bit's set on a file with chmod.

None

T1166


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemd Unit File ModifiedDisabled

Alerts whenever a systemd unit file is modified by a program other than systemctl.

Can cause a negative performance impact on file-heavy workloads.

T1501


Unusual Files Created

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Hidden File CreatedDisabled

Alerts when a hidden file is created by a process associated with an ongoing incident.

Can cause a negative performance impact on file-heavy workloads.

T1158


Network Activity

Discovery

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Cloud Metadata API AccessedEnabled

Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident.

None

T1522

Network Connection Enumeration Via ProgramEnabled

Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident.

None

T1049

T1018


Lateral Movement

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service Scanner ExecutedEnabled

Alerts when common network scanning program tools are executed.

None

T1046

T1018


Network Service Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service CreatedDisabled

Alerts when a program starts a new network service, if the program is already part of an ongoing incident.

None



Network Sniffing

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Sniffing Program ExecutedEnabled

Alerts when a program is executed that allows network capture.

None

T1040


Outbound Connections

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Unusual Outbound Connection DetectedDisabled

Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.

Can cause a negative performance impact on network-heavy workloads.

T1065


Process Activity

Abnormal Process Execution

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Compiler Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Compiler UsageEnabled

Alerts when a program is executed that compiles a binary.

None

T1500


Debugging

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Process InjectionEnabled

Alerts when a program uses ptrace mechanisms to interact with another process.

None

T1055


Discovery

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account Enumeration Via ProgramEnabled

Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.

None

T1087

T1069

File and Directory Discovery Via ProgramEnabled

Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.

None

T1083

Network Configuration Enumeration Via ProgramEnabled

Alerts when a program associated with network configuration enumeration is executed

None

T1016

System Information Enumeration Via ProgramEnabled

Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.

None

T1082


Scheduled Task Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Scheduled Tasks Modified Via FileDisabled

Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.

Can cause a negative performance impact on file-heavy workloads.

T1168

Scheduled Tasks Modified Via ProgramEnabled

Alerts when the crontab command is used to modify cron job configurations.

None

T1168


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemctl Usage DetectedEnabled

Alerts when the systemctl command is used to modify systemd units.

None

T1501


User Activity

Privileged Command Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
User Execution Of su CommandEnabled

Alerts when the 'su' command is executed.

None

T1169

User Execution Of sudo CommandEnabled

Alerts when the 'sudo' command is executed.

None

T1169


Risky Developer Activity

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Shell Command ExecutedEnabled

Alerts when an command is executed by a valid system user via SSH.

None

T1078

T1059

T1204

User Command History ClearedDisabled

Alerts when command line history files are deleted.

Can cause a negative performance impact on file-heavy workloads.

T1146

User Login Via SSHEnabled

Alerts when an interactive shell process is started by a valid system user via SSH.

None

T1078

T1059

T1204


User Account Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account ModificationDisabled

Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136

Password Database ModificationDisabled

Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136

SSH Authorized Keys ModificationDisabled

Alerts when an attempt to write to a user's SSH authorized_keys file is observed, if the program is already part of an ongoing incident.

Can cause a negative performance impact on file-heavy workloads.

T1078

User Account Created Via CLIEnabled

Alerts when an identity management program is executed by a program other than a package manager.

None

T1136

User Configuration ChangesDisabled

Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program.

Can cause a negative performance impact on file-heavy workloads.

T1156


Audit

Below is a list of the detection classes bundled in Audit, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.

To avoid generating a large volume of events, Audit detections won't emit events by default, unless the process that caused the event is part of an active incident. To always receive Audit notifications, you will need to both:


File Activity

Changes to System Binaries

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Boot Files ModifiedDisabled

Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.

Can cause a negative performance impact on file-heavy workloads.

T1067


Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Root Certificate Store ModifiedDisabled

Alerts when a system CA certificate store is changed.

Can cause a negative performance impact on file-heavy workloads.

T1130


Indicator Removal

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Log Files DeletedDisabled

Alerts on deletion of log files.

Can cause a negative performance impact on file-heavy workloads.

T1107

T1070


Privileged File Operations

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Setuid/Setgid Bit Set On FileEnabled

Alerts when the setuid or setgid bit's set on a file with chmod.

None

T1166


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemd Unit File ModifiedDisabled

Alerts whenever a systemd unit file is modified by a program other than systemctl.

Can cause a negative performance impact on file-heavy workloads.

T1501


Network Activity

Lateral Movement

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service Scanner ExecutedEnabled

Alerts when common network scanning program tools are executed.

None

T1046

T1018


Network Sniffing

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Sniffing Program ExecutedEnabled

Alerts when a program is executed that allows network capture.

None

T1040


Process Activity

Abnormal Process Execution

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Compiler Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Compiler UsageEnabled

Alerts when a program is executed that compiles a binary.

None

T1500


Debugging

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Process InjectionEnabled

Alerts when a program uses ptrace mechanisms to interact with another process.

None

T1055


Scheduled Task Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Scheduled Tasks Modified Via FileDisabled

Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.

Can cause a negative performance impact on file-heavy workloads.

T1168

Scheduled Tasks Modified Via ProgramEnabled

Alerts when the crontab command is used to modify cron job configurations.

None

T1168


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemctl Usage DetectedEnabled

Alerts when the systemctl command is used to modify systemd units.

None

T1501


User Activity

Privileged Command Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
User Execution Of su CommandEnabled

Alerts when the 'su' command is executed.

None

T1169

User Execution Of sudo CommandEnabled

Alerts when the 'sudo' command is executed.

None

T1169


Risky Developer Activity

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Shell Command ExecutedEnabled

Alerts when an command is executed by a valid system user via SSH.

None

T1078

T1059

T1204

User Command History ClearedDisabled

Alerts when command line history files are deleted.

Can cause a negative performance impact on file-heavy workloads.

T1146

User Login Via SSHEnabled

Alerts when an interactive shell process is started by a valid system user via SSH.

None

T1078

T1059

T1204


User Account Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account ModificationDisabled

Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136

Password Database ModificationDisabled

Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136

User Account Created Via CLIEnabled

Alerts when an identity management program is executed by a program other than a package manager.

None

T1136

User Configuration ChangesDisabled

Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program.

Can cause a negative performance impact on file-heavy workloads.

T1156