Anybody successfully created a detection rule for Red Hat security updates

taprove · April 23, 2025, 2:17pm

I read that is is possible to create a detection rule to alert if there are security updates required on a Red Hat or CentOS box (we use RHEL for production, CentOS for testing).

I came across the following "query" but apparently I don't have things configured to access some of the values:

(system.os.name: "Red Hat" OR system.os.name: "CentOS") AND system.package.updates: >0 AND system.package.update.type: "security"

I don't appear to have system.os or system.package.

I would greatly appreciate it if anybody has accomplished this and is willing to share insight, or if someone knows an accurate resource they can point me to.

Thanks in advance!

lesio · May 9, 2025, 10:58am

There must be an integration added, beat running on the target machines producing documents with such content.

Did the query indicate required integration?

I think such objective can be achieved with

You can create a scheduled query to probe for available system updates.

Topic		Replies	Views
Update detection rules from elastic github repository to on-premises SIEM	3	692	September 1, 2020
Prebuilt security detection rules not showing any alters Elastic Security	2	338	January 27, 2023
Detection Rule CLI still relevant? Elastic Security detection-rules	2	425	May 2, 2023
Check monitored host available updates Elastic Agent winlogbeat	1	225	November 10, 2022
How to Monitor Hosts for System Updates with Watcher on Elastic Cloud? Elastic Community and Ecosystem elastic-stack-alerting	4	575	November 23, 2018

Anybody successfully created a detection rule for Red Hat security updates

Related topics