[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = """
Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
"""
from = "now-15m"
index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Process Injection - Prevented - Elastic Endpoint"
risk_score = 47
rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
severity = "medium"
tags = ["Elastic", "Endpoint"]
type = "query"

query = '''
event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
'''