Installing all dependencies... ./env/detection-rules-build/bin/pip install .[dev] Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing /Users/stryker/workspace/ElasticGitHub/detection-rules Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0) Cloning https://github.com/elastic/detection-rules.git to /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-install-0o84bb1d/detection-rules-kql_3550bda465fe4b31bd03877e4ce8255d Resolved https://github.com/elastic/detection-rules.git to commit 4c44f98cd6bd262c73fb23504a88773e37189e5c Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0) Cloning https://github.com/elastic/detection-rules.git to /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-install-0o84bb1d/detection-rules-kibana_1a74e5e97017483f80b9b49129a81054 Resolved https://github.com/elastic/detection-rules.git to commit 4c44f98cd6bd262c73fb23504a88773e37189e5c Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7) Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1) Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19) Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4) Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0) Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3) Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1) Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0) Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1) Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2) Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21) Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1) Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0) Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2) Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0) Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0) Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0) Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2) Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0) Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0) Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0) Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0) Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0) Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0) Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.0) Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0) Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2) Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0) Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1) Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (69.5.1) Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0) Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36) Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.1) Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0) Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0) Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1) Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14) Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0) Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0) Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1) Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1) Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1) Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0) Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2) Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0) Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0) Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2) Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7) Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2) Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7) Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0) Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8) Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0) Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.1) Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0) Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22) Building wheels for collected packages: detection_rules Building wheel for detection_rules (pyproject.toml): started Building wheel for detection_rules (pyproject.toml): finished with status 'done' Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41035207 sha256=61c871874798835a37882b825ac35a04d2c5fba17b592872a9426fce07304b7b Stored in directory: /Users/stryker/Library/Caches/pip/wheels/21/c6/ab/8e432f1a2900ee2a465d751436987791213ddef360666b4436 Successfully built detection_rules Installing collected packages: detection_rules Attempting uninstall: detection_rules Found existing installation: detection_rules 0.1.0 Uninstalling detection_rules-0.1.0: Successfully uninstalled detection_rules-0.1.0 Successfully installed detection_rules-0.1.0 ./env/detection-rules-build/bin/pip install lib/kibana Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing ./lib/kibana Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.4.0) (2.31.0) Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.4.0) (8.12.1) Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.4.0) (8.13.0) Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (3.3.2) Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (3.7) Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (2.2.1) Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (2024.2.2) Building wheels for collected packages: detection-rules-kibana Building wheel for detection-rules-kibana (pyproject.toml): started Building wheel for detection-rules-kibana (pyproject.toml): finished with status 'done' Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.4.0-py3-none-any.whl size=9479 sha256=70c47dc9e79d74feb882e23100800ccb22675fd9f04544914ad918e308329a6f Stored in directory: /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-ephem-wheel-cache-unoa0gem/wheels/2a/c1/12/5373374ecdfaec5b2aef4b10c88f87a24e8a45c85b746184b6 Successfully built detection-rules-kibana Installing collected packages: detection-rules-kibana Attempting uninstall: detection-rules-kibana Found existing installation: detection-rules-kibana 0.4.0 Uninstalling detection-rules-kibana-0.4.0: Successfully uninstalled detection-rules-kibana-0.4.0 Successfully installed detection-rules-kibana-0.4.0 ./env/detection-rules-build/bin/pip install lib/kql Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing ./lib/kql Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19) Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0) Building wheels for collected packages: detection-rules-kql Building wheel for detection-rules-kql (pyproject.toml): started Building wheel for detection-rules-kql (pyproject.toml): finished with status 'done' Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=322d858f1dc05c4567afad7d7847aaa19f6ff636cfa7afbd6a9def54e37a4a4b Stored in directory: /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-ephem-wheel-cache-me_odjtv/wheels/7c/be/eb/f105f81d04c0575e48ab4ce963914f5c752b3b89fc58b3e94f Successfully built detection-rules-kql Installing collected packages: detection-rules-kql Attempting uninstall: detection-rules-kql Found existing installation: detection-rules-kql 0.1.7 Uninstalling detection-rules-kql-0.1.7: Successfully uninstalled detection-rules-kql-0.1.7 Successfully installed detection-rules-kql-0.1.7 Executing test_cli script... Running detection-rules CLI tests... Refreshing redirect mappings in ATT&CK Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ refreshing data in attack_technique_redirects.json refreshed mapping file: /Users/stryker/workspace/ElasticGitHub/detection-rules/detection_rules/etc/attack-technique-redirects.json Viewing rule: threat_intel_indicator_match_address.toml Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ { "author": [ "Elastic" ], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": [ "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip" ], "required_fields": [ { "ecs": true, "name": "destination.ip", "type": "ip" }, { "ecs": true, "name": "source.ip", "type": "ip" } ], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": [ "OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match" ], "threat_filters": [ { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.category", "negate": false, "params": { "query": "threat" }, "type": "phrase" }, "query": { "match_phrase": { "event.category": "threat" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.kind", "negate": false, "params": { "query": "enrichment" }, "type": "phrase" }, "query": { "match_phrase": { "event.kind": "enrichment" } } }, { "$state": { "store": "appState" }, "meta": { "disabled": false, "key": "event.type", "negate": false, "params": { "query": "indicator" }, "type": "phrase" }, "query": { "match_phrase": { "event.type": "indicator" } } } ], "threat_index": [ "filebeat-*", "logs-ti_*" ], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [ { "entries": [ { "field": "source.ip", "type": "mapping", "value": "threat.indicator.ip" } ] }, { "entries": [ { "field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip" } ] } ], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 7 } Exporting rule by ID: 0a97b20f-4144-49ea-be32-b540ecc445de Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Exported 1 rules into tmp-export/test_rule.ndjson Importing rule by ID: 0a97b20f-4144-49ea-be32-b540ecc445de Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building rule for tmp-export/malware_detected_elastic_endgame.toml 1 results exported 1 rules converted 0 exceptions exported 0 actions connectors exported Updating rule data schemas Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Validating rule: execution_github_new_event_action_for_pat.toml Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Rule validation successful Checking licenses Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Building release and updating version lock Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building package 8.16 - 5 rules excluded from package Rule changes detected! - 218 changed rules - 1 new rules - 0 newly deprecated rules run `build-release --update-version-lock` to update version.lock.json and deprecated_rules.json Rule changes detected! - 218 changed rules - 1 new rules - 0 newly deprecated rules Detailed changes: A: 28371aa1-14ed-46cf-ab5b-2fc7d1942278, new version: 1 - min_stack_version added: 8.13.0 A: 0415258b-a7b2-48a6-891a-3367cd9d4d31, new version: 1 - min_stack_version added: 8.10.0 A: 4182e486-fc61-11ee-a05d-f661ea17fbce, new version: 1 - min_stack_version added: 8.13.0 A: 5f0234fd-7f21-42af-8391-511d5fd11d5c, new version: 2 - min_stack_version added: 8.13.0 A: 7fda9bb2-fd28-11ee-85f9-f661ea17fbce, new version: 2 - min_stack_version added: 8.13.0 A: ab8f074c-5565-4bc4-991c-d49770e19fc9, new version: 1 - min_stack_version added: 8.13.0 A: 696015ef-718e-40ff-ac4a-cc2ba88dbeeb, new version: 2 - min_stack_version added: 8.13.0 A: df919b5e-a0f6-4fd8-8598-e3ce79299e3b, new version: 2 - min_stack_version added: 8.13.0 A: dde13d58-bc39-4aa0-87fd-b4bdbf4591da, new version: 2 - min_stack_version added: 8.13.0 A: 9aa4be8d-5828-417d-9f54-7cd304571b24, new version: 2 - min_stack_version added: 8.13.0 A: 0cd2f3e6-41da-40e6-b28b-466f688f00a6, new version: 1 - min_stack_version added: 8.13.0 A: f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c, new version: 1 - min_stack_version added: 8.13.0 A: 4f855297-c8e0-4097-9d97-d653f7e471c4, new version: 1 - min_stack_version added: 8.13.0 A: b1773d05-f349-45fb-9850-287b8f92f02d, new version: 1 - min_stack_version added: 8.13.0 A: 17261da3-a6d0-463c-aac8-ea1718afcd20, new version: 1 - min_stack_version added: 8.13.0 A: 5397080f-34e5-449b-8e9c-4c8083d7ccc6, new version: 6 - min_stack_version added: 8.10.0 A: 0ab319ef-92b8-4c7f-989b-5de93c852e93, new version: 5 - min_stack_version added: 8.10.0 A: cc382a2e-7e52-11ee-9aac-f661ea17fbcd, new version: 102 - min_stack_version added: 8.13.0 A: 94e734c0-2cda-11ef-84e1-f661ea17fbce, new version: 1 - min_stack_version added: 8.13.0 A: 95b99adc-2cda-11ef-84e1-f661ea17fbce, new version: 1 - min_stack_version added: 8.13.0 A: 23f18264-2d6d-11ef-9413-f661ea17fbce, new version: 1 - min_stack_version added: 8.13.0 A: 2e56e1bc-867a-11ee-b13e-f661ea17fbcd, new version: 101 - min_stack_version added: 8.13.0 A: 5c351f54-4187-4ad8-abc8-29b0cfbef8b1, new version: 2 - min_stack_version added: 8.11.0 A: a80d96cd-1164-41b3-9852-ef58724be496, new version: 1 - min_stack_version added: 8.10.0 A: f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee, new version: 1 - min_stack_version added: 8.10.0 A: 8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf, new version: 1 - min_stack_version added: 8.10.0 A: f7c70f2e-4616-439c-85ac-5b98415042fe, new version: 2 - min_stack_version added: 8.11.0 A: bc0fc359-68db-421e-a435-348ced7a7f92, new version: 2 - min_stack_version added: 8.11.0 A: c296f888-eac6-4543-8da5-b6abb0d3304f, new version: 2 - min_stack_version added: 8.11.0 A: 28bc620d-b2f7-4132-b372-f77953881d05, new version: 2 - min_stack_version added: 8.11.0 A: d55abdfb-5384-402b-add4-6c401501b0c3, new version: 3 - min_stack_version added: 8.11.0 A: 9b80cb26-9966-44b5-abbf-764fbdbc3586, new version: 3 - min_stack_version added: 8.11.0 A: 20457e4f-d1de-4b92-ae69-142e27a4342a, new version: 208 - min_stack_version added: 8.11.0 A: 7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1, new version: 206 - min_stack_version added: 8.11.0 A: 66da12b1-ac83-40eb-814c-07ed1d82b7b9, new version: 207 - min_stack_version added: 8.11.0 A: 37f638ea-909d-4f94-9248-edd21e4a9906, new version: 206 - min_stack_version added: 8.11.0 A: 827f8d8f-4117-4ae4-b551-f56d54b9da6b, new version: 207 - min_stack_version added: 8.11.0 A: 565c2b44-7a21-4818-955f-8d4737967d2e, new version: 206 - min_stack_version added: 8.11.0 A: 3a657da0-1df2-11ef-a327-f661ea17fbcc, new version: 103 - min_stack_version added: 8.13.0 A: 6aace640-e631-4870-ba8e-5fdda09325db, new version: 315 - min_stack_version added: 8.13.0 A: 54a81f68-5f2a-421e-8eed-f888278bb712, new version: 108 - min_stack_version added: 8.12.0 A: 92984446-aefb-4d5e-ad12-598042ca80ba, new version: 108 - min_stack_version added: 8.12.0 A: 3535c8bb-3bd5-40f4-ae32-b7cd589d5372, new version: 312 - min_stack_version added: 8.13.0 A: 76fd43b7-3480-4dd9-8ad7-8bd36bfad92f, new version: 314 - min_stack_version added: 8.13.0 A: 78de1aeb-5225-4067-b8cc-f4a1de8a8546, new version: 205 - min_stack_version added: 8.13.0 A: b83a7e96-2eb3-4edf-8346-427b6858d3bd, new version: 311 - min_stack_version added: 8.13.0 A: b8f8da2d-a9dc-48c0-90e4-955c0aa1259a, new version: 209 - min_stack_version added: 8.13.0 A: ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6, new version: 311 - min_stack_version added: 8.13.0 A: fa488440-04cc-41d7-9279-539387bf2a17, new version: 213 - min_stack_version added: 8.13.0 A: 93c1ce76-494c-4f01-8167-35edfb52f7b1, new version: 310 - min_stack_version added: 8.13.0 A: ac5012b8-8da8-440b-aaaf-aedafdea2dff, new version: 314 - min_stack_version added: 8.13.0 A: 07b1ef73-1fde-4a49-a34a-5dd40011b076, new version: 212 - min_stack_version added: 8.13.0 A: e26f042e-c590-4e82-8e05-41e81bd822ad, new version: 213 - min_stack_version added: 8.12.0 A: 81fe9dc6-a2d7-4192-a2d8-eed98afc766a, new version: 212 - min_stack_version added: 8.12.0 A: 5188c68e-d3de-4e96-994d-9e242269446f, new version: 103 - min_stack_version added: 8.13.0 A: 97aba1ef-6034-4bd3-8c1a-1e0996b27afa, new version: 314 - min_stack_version added: 8.13.0 A: 61ac3638-40a3-44b2-855a-985636ca985e, new version: 214 - min_stack_version added: 8.12.0 A: 291a0de9-937a-4189-94c0-3e847c8b13e4, new version: 312 - min_stack_version added: 8.12.0 A: 3b47900d-e793-49e8-968f-c90dc3526aa1, new version: 313 - min_stack_version added: 8.13.0 A: cde1bafa-9f01-4f43-a872-605b678968b0, new version: 111 - min_stack_version added: 8.12.0 A: 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe, new version: 211 - min_stack_version added: 8.12.0 A: 7e23dfef-da2c-4d64-b11d-5f285b638853, new version: 205 - min_stack_version added: 8.13.0 A: 32f4675e-6c49-4ace-80f9-97c9259dca2e, new version: 315 - min_stack_version added: 8.13.0 A: 8e2485b6-a74f-411b-bf7f-38b819f3a846, new version: 104 - min_stack_version added: 8.13.0 A: 2bf78aa2-9c56-48de-b139-f169bf99cf86, new version: 314 - min_stack_version added: 8.13.0 A: 513f0ffd-b317-4b9c-9494-92ce861f22c7, new version: 312 - min_stack_version added: 8.13.0 A: 1327384f-00f3-44d5-9a8c-2373ba071e92, new version: 310 - min_stack_version added: 8.13.0 A: 0022d47d-39c7-4f69-a232-4fe9dc7a3acd, new version: 314 - min_stack_version added: 8.13.0 A: c3b915e0-22f3-4bf7-991d-b643513c722f, new version: 309 - min_stack_version added: 8.13.0 A: 2917d495-59bd-4250-b395-c29409b76086, new version: 314 - min_stack_version added: 8.13.0 A: 27071ea3-e806-4697-8abc-e22c92aa4293, new version: 106 - min_stack_version added: 8.12.0 A: 3d3aa8f9-12af-441f-9344-9f31053e316d, new version: 106 - min_stack_version added: 8.12.0 A: e28b8093-833b-4eda-b877-0873d134cf3c, new version: 2 - min_stack_version added: 8.11.0 A: 1e0a3f7c-21e7-4bb1-98c7-2036612fb1be, new version: 107 - min_stack_version added: 8.12.0 A: 0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83, new version: 106 - min_stack_version added: 8.12.0 A: a577e524-c2ee-47bd-9c5b-e917d01d3276, new version: 2 - min_stack_version added: 8.11.0 Updated /Users/stryker/workspace/ElasticGitHub/detection-rules/detection_rules/etc/version.lock.json file Package saved to: /Users/stryker/workspace/ElasticGitHub/detection-rules/releases/8.16 loaded security_detection_engine manifests from the following package versions: ['8.15.2', '8.15.1', '8.14.8', '8.14.7', '8.14.6', '8.14.5', '8.14.4', '8.14.3', '8.14.2', '8.14.1', '8.13.14', '8.13.13', '8.13.12', '8.13.11', '8.13.10', '8.13.9', '8.13.8', '8.13.7', '8.13.6', '8.13.5', '8.13.4', '8.13.3', '8.13.2', '8.13.1', '8.12.19', '8.12.18', '8.12.17', '8.12.16', '8.12.15', '8.12.14', '8.12.13', '8.12.12', '8.12.11', '8.12.10', '8.12.9', '8.12.8', '8.12.7', '8.12.6', '8.12.5', '8.12.4', '8.12.3', '8.12.2', '8.12.1', '8.11.21', '8.11.20', '8.11.19', '8.11.18', '8.11.17', '8.11.16', '8.11.15', '8.11.14', '8.11.13', '8.11.12', '8.11.11', '8.11.10', '8.11.9', '8.11.8', '8.11.7', '8.11.6', '8.11.5', '8.11.4', '8.11.3', '8.11.2', '8.11.1', '8.10.18', '8.10.17', '8.10.16', '8.10.15', '8.10.14', '8.10.13', '8.10.12', '8.10.11', '8.10.10', '8.10.9', '8.10.8', '8.10.7', '8.10.6', '8.10.5', '8.10.4', '8.10.3', '8.10.2', '8.10.1', '8.9.15', '8.9.14', '8.9.13', '8.9.12', '8.9.11', '8.9.10', '8.9.9', '8.9.8', '8.9.7', '8.9.6', '8.9.5', '8.9.4', '8.9.3', '8.9.2', '8.9.1', '8.8.15', '8.8.14', '8.8.13', '8.8.12', '8.8.11', '8.8.10', '8.8.9', '8.8.8', '8.8.7', '8.8.6', '8.8.5', '8.8.4', '8.8.3', '8.8.2', '8.8.1', '8.7.13', '8.7.12', '8.7.11', '8.7.10', '8.7.9', '8.7.8', '8.7.7', '8.7.6', '8.7.5', '8.7.4', '8.7.3', '8.7.2', '8.7.1', '8.6.10', '8.6.9', '8.6.8', '8.6.7', '8.6.6', '8.6.5', '8.6.4', '8.6.3', '8.6.2', '8.6.1', '8.5.8', '8.5.7', '8.5.6', '8.5.5', '8.5.4', '8.5.3', '8.5.2', '8.5.1', '8.4.5', '8.4.4', '8.4.3', '8.4.2', '8.4.1', '8.3.4', '8.3.3', '8.3.2', '8.3.1', '8.2.1', '8.1.1', '1.0.2', '1.0.1'] [+] Adding historical rules from 8.15.2 package - sha256: 7bba0387d472c116ce4b9bdeab0d6a36e2499fccc2dba4fae790c65797f7be83 - 1192 rules included Refreshing ATT&CK data Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ No versions newer than the current detected: 15.1.0 Updating rules with latest ATT&CK data Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ No rule changes needed Getting target branches Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Showing latest compatible version for security_detection_engine with stack version 8.12.0 Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Compatible integration version=('8.15.0', ('There is a new integration endpoint version 8.15.0 available!', 'Update the rule min_stack version from 8.12.0 to 8.15.0 if using new features in this latest version.')) Building limited rules for stack version 8.12 Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Potential Widespread Malware Infection Across Multiple Hosts - Skipping unsupported rule type: esql AWS EC2 EBS Snapshot Shared with Another Account - Skipping unsupported rule type: esql AWS S3 Bucket Enumeration or Brute Force - Skipping unsupported rule type: esql Potential AWS S3 Bucket Ransomware Note Uploaded - Skipping unsupported rule type: esql AWS S3 Object Encryption Using External KMS Key - Skipping unsupported rule type: esql AWS IAM User Created Access Keys For Another User - Skipping unsupported rule type: esql AWS IAM AdministratorAccess Policy Attached to Group - Skipping unsupported rule type: esql AWS IAM AdministratorAccess Policy Attached to Role - Skipping unsupported rule type: esql AWS IAM AdministratorAccess Policy Attached to User - Skipping unsupported rule type: esql AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session - Skipping unsupported rule type: esql AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request - Skipping unsupported rule type: esql Unusual High Confidence Misconduct Blocks Detected - Skipping unsupported rule type: esql Potential Abuse of Resources by High Token Count and Large Response Sizes - Skipping unsupported rule type: esql AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User - Skipping unsupported rule type: esql Attempts to Brute Force a Microsoft 365 User Account - Skipping unsupported rule type: esql Multiple Device Token Hashes for Single Okta Session - Skipping unsupported rule type: esql Multiple Okta User Authentication Events with Client Address - Skipping unsupported rule type: esql Multiple Okta User Authentication Events with Same Device Token Hash - Skipping unsupported rule type: esql High Number of Okta Device Token Cookies Generated for Authentication - Skipping unsupported rule type: esql Okta User Sessions Started from Different Geolocations - Skipping unsupported rule type: esql Success: Rules written to output_file.ndjson Building limited rules for stack version 8.12 with custom rules Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ - sha256: eb87e0020bff1e0def0d34b1e41761213bcfbcc34dfe1a20ab6f54d10201f911 files saved to: /Users/stryker/workspace/ElasticGitHub/detection-rules/enriched-rule-indexes/eb87e0020bff1e0def0d34b1e41761213bcfbcc34dfe1a20ab6f54d10201f911 1197 rules included Building manifests for integrations Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ loading rules to determine all integration tags loaded endpoint manifests from the following package versions: ['8.15.0', '8.14.0', '8.13.0', '8.12.0', '8.11.1', '8.11.0', '8.10.2', '8.10.1', '8.10.0', '8.9.1', '8.9.0', '8.8.0', '8.7.1', '8.7.0', '8.6.1', '8.6.0', '8.5.0', '8.4.1', '8.4.0', '8.3.0', '8.2.0', '1.5.0', '1.4.1', '1.4.0', '1.3.0', '1.2.2', '1.2.1', '1.2.0', '1.1.1', '1.1.0', '1.0.0'] final integrations manifests dumped: /Users/stryker/workspace/ElasticGitHub/detection-rules/detection_rules/etc/integration-manifests.json.gz Building schemas for integrations Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Building integration schemas... processing endpoint final integrations manifests dumped: /Users/stryker/workspace/ElasticGitHub/detection-rules/detection_rules/etc/integration-schemas.json.gz Detection-rules CLI tests completed!