-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathanomalous-linux-compiler-activity.html
485 lines (462 loc) · 25.7 KB
/
anomalous-linux-compiler-activity.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>Anomalous Linux Compiler Activity | Elastic Security Solution [8.18] | Elastic</title>
<meta class="elastic" name="content" content="Anomalous Linux Compiler Activity | Elastic Security Solution [8.18]">
<link rel="home" href="index.html" title="Elastic Security Solution [8.18]"/>
<link rel="up" href="prebuilt-rules.html" title="Prebuilt rule reference"/>
<link rel="prev" href="alternate-data-stream-creation-execution-at-volume-root-directory.html" title="Alternate Data Stream Creation/Execution at Volume Root Directory"/>
<link rel="next" href="anomalous-process-for-a-linux-population.html" title="Anomalous Process For a Linux Population"/>
<meta class="elastic" name="product_version" content="8.18"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/8.18"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="8.18"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.optimizely.com/js/18132920325.js"></script>
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/manifest.json">
<meta name="apple-mobile-web-app-title" content="Elastic">
<meta name="application-name" content="Elastic">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<meta name="theme-color" content="#ffffff">
<meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
<meta name="yandex-verification" content="d8a47e95d0972434" />
<meta name="localized" content="true" />
<meta name="st:robots" content="follow,index" />
<meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
<meta property="og:image:width" content="500" />
<meta property="og:image:height" content="172" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
<link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
<link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
<!-- Give IE8 a fighting chance -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
</head>
<!--© 2015-2025 Elasticsearch B.V. -->
<!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
<!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->
<body>
<!-- Google Tag Manager -->
<script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
<!-- End Google Tag Manager -->
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-12395217-16');
</script>
<!-- Google Tag Manager for GA4 -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager for GA4-->
<div id='elastic-nav' style="display:none;"></div>
<script src='https://www.elastic.co/elastic-nav.js'></script>
<div class="main-container">
<section id="content" >
<div class="content-wrapper">
<section id="guide" lang="en">
<div class="container-fluid">
<div class="row pb-3">
<div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
<!-- The TOC is appended here -->
</div>
<div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
<!-- start body -->
<div class="navheader">
<span class="prev">
<a href="alternate-data-stream-creation-execution-at-volume-root-directory.html">« Alternate Data Stream Creation/Execution at Volume Root Directory</a>
</span>
<span class="next">
<a href="anomalous-process-for-a-linux-population.html">Anomalous Process For a Linux Population »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [8.18]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detection-engine-overview.html">Detections and alerts</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="prebuilt-rules.html">Prebuilt rule reference</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Anomalous Linux Compiler Activity</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
A newer version is available. Check out the <a href="https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/ml/resource_development_ml_linux_anomalous_compiler_activity">latest documentation</a>.
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="anomalous-linux-compiler-activity"></a>Anomalous Linux Compiler Activity</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc">edit</a></div>
</div></div></div>
<p>Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.</p>
<p><span class="strong strong"><strong>Rule type</strong></span>: machine_learning</p>
<p><span class="strong strong"><strong>Rule indices</strong></span>: None</p>
<p><span class="strong strong"><strong>Severity</strong></span>: low</p>
<p><span class="strong strong"><strong>Risk score</strong></span>: 21</p>
<p><span class="strong strong"><strong>Runs every</strong></span>: 15m</p>
<p><span class="strong strong"><strong>Searches indices from</strong></span>: now-45m (<a href="/guide/en/elasticsearch/reference/8.18/common-options.html#date-math" class="ulink" target="_top">Date Math format</a>, see also <a class="xref" href="rules-ui-create.html#rule-schedule" title="Set the rule’s schedule"><code class="literal">Additional look-back time</code></a>)</p>
<p><span class="strong strong"><strong>Maximum alerts per execution</strong></span>: 100</p>
<p><span class="strong strong"><strong>References</strong></span>: None</p>
<p><span class="strong strong"><strong>Tags</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Domain: Endpoint
</li>
<li class="listitem">
OS: Linux
</li>
<li class="listitem">
Use Case: Threat Detection
</li>
<li class="listitem">
Rule Type: ML
</li>
<li class="listitem">
Rule Type: Machine Learning
</li>
<li class="listitem">
Tactic: Resource Development
</li>
<li class="listitem">
Resources: Investigation Guide
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Version</strong></span>: 107</p>
<p><span class="strong strong"><strong>Rule authors</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Elastic
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Rule license</strong></span>: Elastic License v2</p>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h3 class="title"><a id="_investigation_guide_138"></a>Investigation guide</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc">edit</a></div>
</div></div></div>
<p><span class="strong strong"><strong>Triage and analysis</strong></span></p>
<div class="quoteblock">
<blockquote>
<p><span class="strong strong"><strong>Disclaimer</strong></span>:
This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.</p>
</blockquote>
</div>
<p><span class="strong strong"><strong>Investigating Anomalous Linux Compiler Activity</strong></span></p>
<p>Compilers transform source code into executable programs, a crucial step in software development. In Linux environments, unexpected compiler use by atypical users may signal unauthorized software changes or privilege escalation attempts. Adversaries exploit this by deploying malicious code or exploits. The detection rule leverages machine learning to identify unusual compiler activity, flagging potential threats by analyzing user behavior patterns and deviations from normal operations.</p>
<p><span class="strong strong"><strong>Possible investigation steps</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Review the user account associated with the anomalous compiler activity to determine if the user typically engages in software development or has a history of using compilers.
</li>
<li class="listitem">
Check the specific compiler and version used in the activity to identify if it is a known or legitimate tool within the organization.
</li>
<li class="listitem">
Analyze the source and destination of the compiler activity, including the IP addresses and hostnames, to identify any unusual or unauthorized access patterns.
</li>
<li class="listitem">
Investigate recent changes or deployments on the system where the compiler activity was detected to identify any unauthorized software installations or modifications.
</li>
<li class="listitem">
Examine system logs and audit trails for any signs of privilege escalation attempts or other suspicious activities around the time of the compiler usage.
</li>
<li class="listitem">
Cross-reference the detected activity with known threat intelligence sources to determine if the behavior matches any known attack patterns or indicators of compromise.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>False positive analysis</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Development environments where multiple users compile code can trigger false positives. Regularly update the list of authorized users who are expected to use compilers to prevent unnecessary alerts.
</li>
<li class="listitem">
Automated build systems or continuous integration pipelines may be flagged. Exclude these systems from monitoring or adjust the rule to recognize their activity as normal.
</li>
<li class="listitem">
Educational or training sessions involving compilers might cause alerts. Temporarily adjust the rule settings or add exceptions for the duration of the training.
</li>
<li class="listitem">
Users compiling open-source software for personal use can be mistaken for threats. Implement a process for users to notify the security team of legitimate compiler use to preemptively adjust monitoring rules.
</li>
<li class="listitem">
System administrators performing maintenance or updates that involve compiling software may trigger alerts. Maintain a log of scheduled maintenance activities and adjust the rule to account for these periods.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Response and remediation</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Isolate the affected system from the network to prevent potential lateral movement or further exploitation.
</li>
<li class="listitem">
Terminate any suspicious processes associated with the anomalous compiler activity to halt any ongoing malicious operations.
</li>
<li class="listitem">
Conduct a thorough review of recent user activity and permissions to identify unauthorized access or privilege escalation attempts.
</li>
<li class="listitem">
Remove any unauthorized or malicious software identified during the investigation to prevent further compromise.
</li>
<li class="listitem">
Restore the system from a known good backup if malicious code execution is confirmed, ensuring that the backup is free from compromise.
</li>
<li class="listitem">
Implement stricter access controls and monitoring for compiler usage, ensuring only authorized users can execute compilers.
</li>
<li class="listitem">
Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
</li>
</ul>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h3 class="title"><a id="_setup_74"></a>Setup</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc">edit</a></div>
</div></div></div>
<p><span class="strong strong"><strong>Setup</strong></span></p>
<p>This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
- Elastic Defend
- Auditd Manager</p>
<p><span class="strong strong"><strong>Anomaly Detection Setup</strong></span></p>
<p>Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the <a href="/guide/en/kibana/current/xpack-ml-anomalies.html" class="ulink" target="_top">helper guide</a>.</p>
<p><span class="strong strong"><strong>Elastic Defend Integration Setup</strong></span></p>
<p>Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.</p>
<p><span class="strong strong"><strong>Prerequisite Requirements:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Fleet is required for Elastic Defend.
</li>
<li class="listitem">
To configure Fleet Server refer to the <a href="/guide/en/fleet/current/fleet-server.html" class="ulink" target="_top">documentation</a>.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>The following steps should be executed in order to add the Elastic Defend integration to your system:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Go to the Kibana home page and click "Add integrations".
</li>
<li class="listitem">
In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
</li>
<li class="listitem">
Click "Add Elastic Defend".
</li>
<li class="listitem">
Configure the integration name and optionally add a description.
</li>
<li class="listitem">
Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
</li>
<li class="listitem">
Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. <a href="/guide/en/security/current/configure-endpoint-integration-policy.html" class="ulink" target="_top">Helper guide</a>.
</li>
<li class="listitem">
We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
</li>
<li class="listitem">
Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the <a href="/guide/en/fleet/current/agent-policy.html" class="ulink" target="_top">helper guide</a>.
</li>
<li class="listitem">
Click "Save and Continue".
</li>
<li class="listitem">
To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the <a href="/guide/en/security/current/install-endpoint.html" class="ulink" target="_top">helper guide</a>.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Auditd Manager Integration Setup</strong></span></p>
<p>The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With <code class="literal">auditd_manager</code>, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.</p>
<p><span class="strong strong"><strong>The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Go to the Kibana home page and click “Add integrations”.
</li>
<li class="listitem">
In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
</li>
<li class="listitem">
Click “Add Auditd Manager”.
</li>
<li class="listitem">
Configure the integration name and optionally add a description.
</li>
<li class="listitem">
Review optional and advanced settings accordingly.
</li>
<li class="listitem">
Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
</li>
<li class="listitem">
Click “Save and Continue”.
</li>
<li class="listitem">
For more details on the integration refer to the <a href="https://docs.elastic.co/integrations/auditd_manager" class="ulink" target="_top">helper guide</a>.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Rule Specific Setup Note</strong></span></p>
<p>Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
- For this detection rule no additional audit rules are required.</p>
<p><span class="strong strong"><strong>Framework</strong></span>: MITRE ATT&CK<sup>TM</sup></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Tactic:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Resource Development
</li>
<li class="listitem">
ID: TA0042
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/tactics/TA0042/" class="ulink" target="_top">https://attack.mitre.org/tactics/TA0042/</a>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Technique:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Obtain Capabilities
</li>
<li class="listitem">
ID: T1588
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/techniques/T1588/" class="ulink" target="_top">https://attack.mitre.org/techniques/T1588/</a>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Sub-technique:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Malware
</li>
<li class="listitem">
ID: T1588.001
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/techniques/T1588/001/" class="ulink" target="_top">https://attack.mitre.org/techniques/T1588/001/</a>
</li>
</ul>
</div>
</li>
</ul>
</div>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="alternate-data-stream-creation-execution-at-volume-root-directory.html">« Alternate Data Stream Creation/Execution at Volume Root Directory</a>
</span>
<span class="next">
<a href="anomalous-process-for-a-linux-population.html">Anomalous Process For a Linux Population »</a>
</span>
</div>
<!-- end body -->
</div>
<div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
<div id="sticky_content">
<!-- The OTP is appended here -->
<div class="row">
<div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
<div class="col-12 col-md-8 col-lg-12">
<div id="rtpcontainer">
<div class="mktg-promo" id="most-popular">
<p class="aside-heading">Most Popular</p>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
<p class="mb-0">Get Started with Elasticsearch</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
<p class="mb-0">Intro to Kibana</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
<p class="mb-0">ELK for Logs & Metrics</p>
</a>
</div>
</div>
</div>
<!-- Feedback widget -->
<div id="feedbackWidgetContainer"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->
</section>
</div>
<!-- Feedback modal -->
<div id="feedbackModalContainer"></div>
<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs-v1.js"></script>
<script type="text/javascript">
window.initial_state = {}</script>
</body>
</html>