Detection rules downloads

ACSC Advisory IOCs detection rules

ACSC Advisory IOCs detection rules for Elastic SIEM

Threat detection Kibana dashboard

Kibana dashboard example visualizing the results of the Elastic SIEM detection engine

Sigma Elastic SIEM rules for web server logs

A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.

Sigma detection rules for proxy server logs

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

Sigma Sysmon detection rules

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

Sigma Windows Process Creation detection rules

A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .

Sigma Windows inbuilt detection rules

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .

Sigma AWS Cloudtrail Detection rules

A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.

Sigma Zeek Detection rules

A collection of rules based on the Sigma rules for Zeek based on the Filebeat Zeek module.


More about Detection rules

The SIEM detection rules for Elastic Security defining how the Elastic Security detection engine is investigating for threats. The detection rules are a common set of rules that can be used to analyze existing data. Elastic delivers many rules OOTB. Show all pre build Elastic rules.

By using the defined fields and categories in ECS (Elastic Common Schema), rules automatically work with Beats logs, Elastic agent data and other data sources that map properly to ECS.

Elastic has opened the repository for this rules to let the community contribute to the rules. However there are other projects like Sigma that producing SIEM detection rules for different systems.