LoFP
/
rules_building_block
rules_building_block rule
Title
Tags
if the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. validate that this is expected activity and tune the rule to fit your environment variables.
t1016
t1614
rules_building_block
elastic
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
t1082
linux
rules_building_block
elastic