Installing all dependencies... ./env/detection-rules-build/bin/pip install .[dev] Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing /Users/stryker/workspace/ElasticGitHub/detection-rules Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0) Cloning https://github.com/elastic/detection-rules.git to /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-install-xg9az_1l/detection-rules-kql_2620d68bf1a1402aa43b0c5ee12e32a6 Resolved https://github.com/elastic/detection-rules.git to commit 4c44f98cd6bd262c73fb23504a88773e37189e5c Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0) Cloning https://github.com/elastic/detection-rules.git to /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-install-xg9az_1l/detection-rules-kibana_dcda287114a849909de31ad94003f27a Resolved https://github.com/elastic/detection-rules.git to commit 4c44f98cd6bd262c73fb23504a88773e37189e5c Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7) Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1) Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19) Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4) Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0) Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3) Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1) Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0) Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1) Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2) Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21) Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1) Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0) Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2) Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0) Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0) Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0) Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2) Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0) Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0) Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0) Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0) Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0) Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0) Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.0) Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0) Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2) Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0) Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1) Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (69.5.1) Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0) Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36) Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.1) Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0) Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0) Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1) Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14) Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0) Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0) Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1) Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1) Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1) Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0) Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2) Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0) Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0) Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2) Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7) Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2) Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7) Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0) Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8) Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0) Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.1) Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0) Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22) Building wheels for collected packages: detection_rules Building wheel for detection_rules (pyproject.toml): started Building wheel for detection_rules (pyproject.toml): finished with status 'done' Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41032518 sha256=9bc8feb1d6a74e1c7d86155a4254827e9d1981f17b6f9a1ffe701ec838a2b064 Stored in directory: /Users/stryker/Library/Caches/pip/wheels/21/c6/ab/8e432f1a2900ee2a465d751436987791213ddef360666b4436 Successfully built detection_rules Installing collected packages: detection_rules Attempting uninstall: detection_rules Found existing installation: detection_rules 0.1.0 Uninstalling detection_rules-0.1.0: Successfully uninstalled detection_rules-0.1.0 Successfully installed detection_rules-0.1.0 ./env/detection-rules-build/bin/pip install lib/kibana Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing ./lib/kibana Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.4.0) (2.31.0) Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.4.0) (8.12.1) Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.4.0) (8.13.0) Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (3.3.2) Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (3.7) Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (2.2.1) Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.4.0) (2024.2.2) Building wheels for collected packages: detection-rules-kibana Building wheel for detection-rules-kibana (pyproject.toml): started Building wheel for detection-rules-kibana (pyproject.toml): finished with status 'done' Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.4.0-py3-none-any.whl size=9479 sha256=55248b053c4daafb5d1cf4a4b549cbb0d54ac73b6a5f08750e4c0b456cd95a38 Stored in directory: /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-ephem-wheel-cache-8_m0bnq9/wheels/2a/c1/12/5373374ecdfaec5b2aef4b10c88f87a24e8a45c85b746184b6 Successfully built detection-rules-kibana Installing collected packages: detection-rules-kibana Attempting uninstall: detection-rules-kibana Found existing installation: detection-rules-kibana 0.4.0 Uninstalling detection-rules-kibana-0.4.0: Successfully uninstalled detection-rules-kibana-0.4.0 Successfully installed detection-rules-kibana-0.4.0 ./env/detection-rules-build/bin/pip install lib/kql Looking in indexes: https://pypi.org/simple, https://artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple Processing ./lib/kql Installing build dependencies: started Installing build dependencies: finished with status 'done' Getting requirements to build wheel: started Getting requirements to build wheel: finished with status 'done' Preparing metadata (pyproject.toml): started Preparing metadata (pyproject.toml): finished with status 'done' Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19) Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0) Building wheels for collected packages: detection-rules-kql Building wheel for detection-rules-kql (pyproject.toml): started Building wheel for detection-rules-kql (pyproject.toml): finished with status 'done' Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=b21d552b724de71277dbd55d18da63f580e5090b3bf65fc25938eb9984db73a2 Stored in directory: /private/var/folders/ng/zlptgm9552j2dhj_xzy0r32h0000gn/T/pip-ephem-wheel-cache-tkz9dvyf/wheels/7c/be/eb/f105f81d04c0575e48ab4ce963914f5c752b3b89fc58b3e94f Successfully built detection-rules-kql Installing collected packages: detection-rules-kql Attempting uninstall: detection-rules-kql Found existing installation: detection-rules-kql 0.1.7 Uninstalling detection-rules-kql-0.1.7: Successfully uninstalled detection-rules-kql-0.1.7 Successfully installed detection-rules-kql-0.1.7 Executing test_remote_cli script... Running detection-rules remote CLI tests... Performing a quick rule alerts search... Requires .detection-rules-cfg.json credentials file set. Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ ======================================================================================= kibana alert host rule hostname name status original_time ======================================================================================= My First Rule active 2024-08-13T20:28:47.000Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:23.896Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:27.020Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:27.156Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:40.771Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:50.313Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:50.313Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:02:50.313Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:12.492Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:18.876Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:18.876Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:18.876Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:22.451Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:29.041Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:29.041Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:29.041Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:03:56.640Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:11.063Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:19.460Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:19.460Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:19.460Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:21.670Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:21.673Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:22.701Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:23.015Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:24.140Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:24.140Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:04:24.140Z trade-linux-testing Test Exception List active 2024-08-14T19:05:46.010Z trade-linux-testing Test Exception List active 2024-08-14T19:05:46.019Z trade-linux-testing Test Exception List active 2024-08-14T19:05:46.023Z trade-linux-testing Test Exception List active 2024-08-14T19:05:46.074Z trade-windows-testing Test Exception List active 2024-08-14T19:05:46.231Z trade-windows-testing Test Exception List active 2024-08-14T19:05:46.284Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:06.881Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:06.881Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:06.881Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:07.674Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:07.674Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:07.674Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.091Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.091Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.091Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.097Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.097Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.097Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.206Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.206Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.206Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.272Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.272Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.310Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.310Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.387Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.387Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.424Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.424Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.842Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.842Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.843Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:08.843Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:09.147Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:09.147Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:09.147Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:09.875Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:09.875Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:10.846Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:14.041Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:22.025Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:22.025Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:22.329Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:22.329Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:23.057Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:23.057Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:26.990Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:51.091Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:07:52.289Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:08:00.662Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:08:00.662Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:08:00.662Z stryker-macos-testing.local Test Exception List active 2024-08-14T19:08:04.294Z trade-windows-testing Test Exception List active 2024-08-14T19:10:23.342Z trade-windows-testing Test Exception List active 2024-08-14T19:10:23.918Z trade-windows-testing Test Exception List active 2024-08-14T19:10:26.982Z trade-windows-testing Test Exception List active 2024-08-14T19:10:27.045Z trade-windows-testing Test Exception List active 2024-08-14T19:10:30.302Z trade-windows-testing Test Exception List active 2024-08-14T19:10:34.339Z trade-windows-testing Test Exception List active 2024-08-14T19:13:10.053Z trade-windows-testing Test Exception List active 2024-08-14T19:13:10.121Z trade-windows-testing Test Exception List active 2024-08-14T19:13:14.054Z trade-windows-testing Test Exception List active 2024-08-14T19:13:14.056Z trade-windows-testing Test Exception List active 2024-08-14T19:14:52.282Z trade-windows-testing Test Exception List active 2024-08-14T19:15:07.662Z trade-windows-testing Test Exception List active 2024-08-14T19:15:16.648Z trade-windows-testing Test Exception List active 2024-08-14T19:15:16.974Z trade-windows-testing Test Exception List active 2024-08-14T19:15:16.976Z trade-windows-testing Test Exception List active 2024-08-14T19:15:17.081Z trade-windows-testing Test Exception List active 2024-08-14T19:15:21.149Z trade-windows-testing Test Exception List active 2024-08-14T19:15:21.273Z trade-windows-testing Test Exception List active 2024-08-14T19:15:21.282Z ======================================================================================= Performing a rule export... Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ - skipping Potential Successful Linux FTP Brute Force Attack Detected [Duplicate] - EqlSchemaError - skipping Okta - Multiple email addresses seen with a single dt_hash - KqlParseError - skipping Possible Okta Session Cookie Theft - Multiple dtHash for a Session ID - ValidationError - skipping Okta IDPS provider changes made - KqlParseError - skipping Github - New Repo cloned for a service account PAT - KqlParseError - skipping Okta Authentication by MFA Exempt account from unmanaged IP - ValidationError - skipping Spike in user cloning private github repo from an unmanged IP - KqlParseError - skipping Mail forwarding configured to external domain [8.5] - KqlParseError - skipping [Okta] Non Elastic user added to an Elastic Okta group [8.1] - ValidationError - skipping [Threat Intel] OpenCTI IP match on Zocalo Integration - ValidationError - skipping Okta Support Viewed or Updated our Okta Organization - KqlParseError - skipping [OKTA] Custom IDPS used to authenticate user [7.12] - ValidationError - skipping Github - New event.action for a PAT - KqlParseError - skipping GCP Virtual Private Cloud Route Deletion [7.13] - KqlParseError - skipping GCP Storage Bucket Permissions Modification [7.13] - ValidationError - skipping GCP Service Account Disabled [7.13] - ValidationError - skipping Multiple Different Detection alerts for a single agent.id - KqlParseError - skipping Github activity on a private repo from a New IP - KqlParseError - skipping Suspicious Activity Reported by Okta User [7.12] - KqlParseError - skipping Sudoedit non root activity [7.12] - KqlParseError - skipping GCP Virtual Private Cloud Route Creation [7.13] - ValidationError - skipping High Number of Okta User Password Reset or Unlock Attempts [7.12] - KqlParseError - skipping GCP Virtual Private Cloud Network Deletion [7.13] - ValidationError - skipping GCP Service Account Deletion [7.13] - ValidationError - skipping GCP Storage Bucket Deletion [7.13] - ValidationError - skipping GCP Storage Bucket Configuration Modification [7.13] - ValidationError - skipping TeamViewer used to remote access an Elastic system - KqlParseError - skipping Okta Brute Force or Password Spraying Attack [7.12] - ValidationError - skipping Possible Okta DoS Attack [7.12] - ValidationError - skipping High number of Okta Session reauth on High Risk session - KqlParseError - skipping GCP Service Account Key Creation [7.13] - ValidationError - skipping GCP Firewall Rule Deletion [7.13] - ValidationError - skipping AWS Root Account event failed from unmanaged IP - KqlParseError - skipping GCP Kubernetes Rolebindings Created or Patched [8.9] - KqlParseError - skipping GCP Firewall Rule Modification [7.13] - ValidationError - skipping Azure password login from unmanaged IP - KqlParseError - skipping [ESS] Process executing from strange directory in Elastic Cloud - ValidationError - skipping GCP Service Account Creation [7.13] - ValidationError - skipping GCP Logging Bucket Deletion [7.13] - ValidationError - skipping Azure Active Directory High Risk Sign-in from unmanaged IP - KqlParseError - skipping GCP Logging Sink Deletion [7.13] - ValidationError - skipping GCP IAM Custom Role Creation [7.13] - ValidationError - skipping [ESS] FIM Critical File monitoring changes - ValidationError - skipping Attempt to Deactivate Okta policy from unmanaged IP - KqlParseError - skipping AWS Console authentication from unmanaged IP [Elastic Cloud] - KqlParseError - skipping Activity from a user with a DEPROVISIONED Okta account - KqlParseError - skipping GCP IAM Role Deletion [7.13] - ValidationError - skipping [ESS] Unusual Process Execution - Temp [Elastic Rule] - ValidationError - skipping Attempt to Revoke Okta API Token [8.10] - KqlParseError - skipping Administrator Role Assigned to an Okta User [7.13] - ValidationError - skipping GCP Firewall Rule Creation [7.13] - ValidationError - skipping GCP Pub/Sub Topic Deletion [7.13] - ValidationError - skipping GCP Pub/Sub Topic Creation [7.13] - ValidationError - skipping GCP IAM Service Account Key Deletion [7.13] - ValidationError - skipping [ESS] Cloud Netcat Network Activity [Elastic Rule] - ValidationError - skipping [ESS] Unusual non-root parent process of sh - ValidationError - skipping GCP Logging Sink Modification [7.13] - ValidationError - skipping GCP Pub/Sub Subscription Deletion [7.13] - ValidationError - skipping GCP Pub/Sub Subscription Creation [7.13] - ValidationError - skipping Attempt to Deactivate MFA for Okta User Account [7.12] - ValueError - skipping H-DEFENSEEVASION-266 - Windows Defender Exclusions Added - KqlParseError - skipping Suppression is not enabled, threshold fields not selected - KqlParseError - skipping Suppression is enabled, threshold fields selected - KqlParseError - skipping ertewr - KqlParseError 126 results exported 62 rules converted 0 exceptions exported 0 action connectors exported 62 rules saved to tmp-export 0 exception lists saved to None 0 action connectors saved to None 64 errors saved to tmp-export/_errors.txt _errors.txt administrator_privileges_assigned_to_okta_group_7_12.toml apple_scripting_execution_with_administrator_privileges_eql_7_14.toml attempt_to_deactivate_an_okta_application_7_12.toml attempt_to_deactivate_an_okta_network_zone_7_12.toml attempt_to_deactivate_an_okta_policy_rule_from_unmanaged_ip.toml attempt_to_delete_an_okta_network_zone_7_12.toml attempt_to_delete_an_okta_policy_rule_from_unmanaged_ip.toml attempt_to_delete_okta_policy_from_unmanaged_ip.toml attempt_to_modify_an_okta_network_zone_7_12.toml attempt_to_modify_an_okta_policy_rule_from_unmanaged_ip.toml attempt_to_modify_okta_network_zone_7_12.toml attempt_to_modify_okta_policy_from_unmanaged_ip.toml attempt_to_remove_file_quarantine_attribute_eql_7_14.toml attempt_to_reset_mfa_factors_for_okta_user_account_7_12.toml attempts_to_brute_force_an_okta_user_account_7_12.toml aws_cloudwatch_log_group_deletion_elastic_eng.toml azure_service_principal_credentials_added_8_2.toml changing_or_disabling_of_okta_mfa_device_7_14.toml collection_exchange_mailbox_export_via_powershell.toml connection_to_commonly_abused_web_services_eql_8_3.toml creation_of_okta_api_token.toml credential_access_first_time_seen_aws_secret_value_accessed_in_secrets_manager.toml discovery_enumeration_of_privileged_local_groups_membership.toml execution_from_unusual_directory_command_line_eql_7_14.toml execution_test_rule.toml high_number_of_okta_mfa_deny_events.toml modification_or_removal_of_an_okta_application_sign_on_policy_from_unmanaged_ip.toml new_mfa_device_registered.toml nullsessionpipe_registry_modification_eql_8_12.toml okta_high_risk_authentication_from_unmanaged_ip.toml okta_security_threat_detected_8_4.toml persistence_test2.toml persistence_via_scheduled_job_creation_eql_8_12.toml potential_abuse_of_repeated_mfa_push_notifications_8_1.toml potential_evasion_via_filter_manager_eql_7_14.toml potential_malicious_file_downloaded_from_google_drive.toml potential_malicious_file_downloaded_from_google_drive_d.toml potential_modification_of_accessibility_binaries_eql_8_12.toml potential_persistence_via_login_hook_7_12.toml potential_privacy_control_bypass_via_localhost_secure_copy_eql_7_14.toml potential_reverse_shell_activity_via_terminal_eql_7_14.toml pptp_point_to_point_tunneling_protocol_activity_7_12.toml process_execution_from_an_unusual_directory_eql_8_12.toml registry_persistence_via_appinit_dll_eql_7_14.toml sensitive_files_compression_7_12.toml smtp_on_port_26_tcp_7_12.toml suppression_is_not_enabled_threshold_fields_selected.toml tampering_of_bash_command_line_history_eql_8_3.toml test.toml test_exception_list.toml test_investigation_fields.toml test_mail_rule.toml test_new_terms_rule.toml test_rule.toml timestomping_using_touch_command_eql_7_14.toml unauthorized_access_to_an_okta_application_8_9.toml unusual_parent_process_for_cmd_exe_eql_8_8.toml volume_shadow_copy_deletion_via_vssadmin_eql_7_14.toml whoami_process_activity_eql_7_14.toml Removing generated files... Detection-rules CLI tests completed!