[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = """
Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
"""
from = "now-15m"
index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Process Injection - Detected - Elastic Endpoint"
risk_score = 73
rule_id = "80c52164-c82a-402c-9964-852533d58be1"
severity = "high"
tags = ["Elastic", "Endpoint"]
type = "query"

query = '''
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
'''