← Back to Blog

Writing Detection Rules for Endpoint Threats

SecureExec's detection engine evaluates incoming events against your rule set in real time. When a rule matches, a Detection event is generated with a severity level and stored alongside the raw telemetry in Elasticsearch. This post walks through writing effective rules for common threat scenarios.

Detection Event Structure

A detection event contains:

  • rule_name — the name of the rule that fired
  • severity — one of low, medium, high, or critical
  • description — a human-readable explanation
  • source_event_ids — IDs of the raw events that triggered the detection
  • process_uid — the process involved

Source event IDs let you pivot from a detection directly to the raw events in the Events console.

Example: Detecting a Web Shell

A web shell often manifests as a web server process (nginx, apache, gunicorn) spawning a shell. A rule targeting this pattern:

name: webshell_spawn
severity: critical
description: Web server process spawned a shell
match:
  event_type: process_create
  parent_process_name:
    - nginx
    - apache2
    - gunicorn
    - httpd
  process_name:
    - sh
    - bash
    - zsh
    - python
    - perl

Example: Detecting Outbound Connections on Unusual Ports

Malware often beacons home on non-standard ports to evade simple firewall rules:

name: unusual_outbound_port
severity: medium
description: Process made outbound connection on unusual port
match:
  event_type: net_connect
  dst_port:
    not_in: [80, 443, 22, 53, 25, 587, 993]
  process_name:
    not_in: [curl, wget, apt, yum, pip]

Example: Detecting Credential File Access

Accessing /etc/shadow or .ssh/id_rsa outside of expected system processes is a strong indicator of credential harvesting:

name: credential_file_read
severity: high
description: Sensitive credential file accessed by unexpected process
match:
  event_type: file_modify
  path:
    - /etc/shadow
    - /etc/passwd
    - "**/.ssh/id_rsa"
    - "**/.ssh/authorized_keys"
  process_name:
    not_in: [passwd, sshd, sudo]

Severity Guidelines

SeverityWhen to use
lowAnomalous but common noise; use for baselining
mediumSuspicious activity worth investigating
highStrong indicator of compromise; page on-call
criticalActive attack in progress; immediate response required

Searching Detections in Elasticsearch

All detection events are indexed in secureexec-events-{org_id} with event_type: detection. To find all critical detections in the last 24 hours:

{
  "query": {
    "bool": {
      "must": [
        { "term": { "event_type": "detection" } },
        { "term": { "severity": "critical" } },
        { "range": { "@timestamp": { "gte": "now-24h" } } }
      ]
    }
  }
}

Use the Events console in the webapp to run these searches visually with full-text and time range filters.