Getting crazy with nnotes.dll

GKre · December 18, 2023, 9:24am

Yes - i am using HCL Notes / Domino in release 12 and 14 (the newest one).
Elastic Endpoint Security is driving me crazy as it is putting the file "nnotes.dll" into quartantain.
I tested rule exception and endpoint exception on "file.path : " C:\Program Files\HCL\Notes\nnotes.dll".
still the file is quarantained only to be restored.

{
  "@timestamp": [
    "2023-12-18T09:16:00.334Z"
  ],
  "agent.ephemeral_id": [
    "dfaee510-790a-434b-bcd7-384aae7b13a5"
  ],
  "agent.id": [
    "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b"
  ],
  "agent.name": [
    "Z440"
  ],
  "agent.type": [
    "endpoint"
  ],
  "agent.version": [
    "8.11.3"
  ],
  "component.binary": [
    "endpoint-security"
  ],
  "component.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "component.id": [
    "endpoint-default"
  ],
  "component.type": [
    "endpoint"
  ],
  "data_stream.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "data_stream.namespace": [
    "default"
  ],
  "data_stream.type": [
    "logs"
  ],
  "ecs.version": [
    "1.11.0"
  ],
  "elastic_agent.id": [
    "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b"
  ],
  "elastic_agent.snapshot": [
    false
  ],
  "elastic_agent.version": [
    "8.11.3"
  ],
  "event.agent_id_status": [
    "verified"
  ],
  "event.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "event.ingested": [
    "2023-12-18T09:16:05.000Z"
  ],
  "host.architecture": [
    "x86_64"
  ],
  "host.hostname": [
    "z440"
  ],
  "host.id": [
    "826188d2-e4f6-4025-9514-686022babc2d"
  ],
  "host.ip": [
    "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
    "fd77:ade4:e825:0:f890:4ace:8aaf:1582",
    "fd77:ade4:e825:0:2de3:7594:7184:bb8f",
    "fe80::64bd:5247:7486:1fa",
    "192.168.0.89",
    "fe80::e703:f3ea:355f:a986",
    "169.254.172.144",
    "fe80::d43a:b795:900c:c9b2",
    "172.18.128.1",
    "fe80::bd65:c48f:a1ab:2ddb",
    "172.19.64.1",
    "fe80::ae07:d7b0:d8cd:de03",
    "172.28.192.1"
  ],
  "host.mac": [
    "00-15-5D-8A-D2-90",
    "00-15-5D-A5-4B-30",
    "00-15-5D-AD-E5-7C",
    "3C-52-82-77-12-96",
    "F4-4E-FC-A3-13-89"
  ],
  "host.name": [
    "z440"
  ],
  "host.os.build": [
    "22631.2861"
  ],
  "host.os.family": [
    "windows"
  ],
  "host.os.kernel": [
    "10.0.22621.2861 (WinBuild.160101.0800)"
  ],
  "host.os.name": [
    "Windows 11 Enterprise"
  ],
  "host.os.name.text": [
    "Windows 11 Enterprise"
  ],
  "host.os.platform": [
    "windows"
  ],
  "host.os.type": [
    "windows"
  ],
  "host.os.version": [
    "10.0"
  ],
  "input.type": [
    "filestream"
  ],
  "log.file.idxhi": [
    "3670016"
  ],
  "log.file.idxlo": [
    "418685"
  ],
  "log.file.path": [
    "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
  ],
  "log.file.vol": [
    "339111792"
  ],
  "log.level": [
    "info"
  ],
  "log.offset": [
    25663259
  ],
  "log.origin.file.line": [
    895
  ],
  "log.origin.file.name": [
    "PlatformQuarantineManager.cpp"
  ],
  "log.source": [
    "endpoint-default"
  ],
  "message": [
    "PlatformQuarantineManager.cpp:895 Successfully quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll"
  ],
  "process.pid": [
    7020
  ],
  "process.thread.id": [
    8540
  ],
  "_id": "yKQ2fIwBaCcbaQM-C455",
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_score": null
}

What is going wron here and wy is endpoint security so "fixed" on this file?

ferullo · January 2, 2024, 2:22pm

Hi @GKre ,

still the file is quarantained only to be restored

Can you explain that more? Are you saying you keep getting alerts for the file that indicate the file was quarantined but then the file is automatically restored? I'm not sure how that could happen.

The document you shared is from a log message. Are you still seeing alert documents (look in logs-endpoint.alerts-* for event.kind: alert), or just those log lines? Are you sure the host that is alerting on that file has the exceptions applied and that the alert document has file.path: C:\Program Files\HCL\Notes\nnotes.dll? Make sure the case insensitive path matches exactly what you put in for the exception (i.e. don't use "double paths" like \\).

GKre · January 2, 2024, 2:52pm

Hello and a happy new year, @ferullo,

I could solve the problem with the exception - this is not the main question.

What i wonder about is - there's thousand of DLL's in a windos system.

Can i find out "why" this file had been classified as dangerous?

At the end i can make an exception but i still have a bad feeling as i am not sure about the potential "risk" with this file.

ferullo · January 2, 2024, 4:08pm

Ah, ok. I didn't realize that was your concern.

Without seeing the alert I can't be sure why its being flagged. If it is being caught by a malware signature you should see a the field file.Ext.malware_signature which will contain some details describing what signature matched it.

If it didn't match a signature it may still have been caught by the malware machine learning model, which will contain details in the field file.Ext.malware_classification. If there is a matching malware signature, the score reported in malware_classification field may be explicitly reported as 1.0 despite what the model calculated (depending on your Endpoint version). If there isn't a matching signature, or the score isn't 1.0, then a higher score means the file has more correlation with other known malware but there isn't more information for you to dig into.

I know it might be a little hard to parse what I wrote above. If you'd like, go ahead share a sanitized alert here and I can see what information can be gleaned from it.

You seem confident this is a false positive. Please report the false positive using these instructions or if you have Elastic support via that channel.

I hope that helps.

GKre · January 3, 2024, 2:56am

thx again @ferullo,

the problem is - i can not find any score. There's an alert and an diagnostic alert:

{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "waQ2fIwBaCcbaQM-C455",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 7020,
      "thread": {
        "id": 9848
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "ephemeral_id": "sanitized",
      "type": "endpoint",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log",
        "vol": "339111792",
        "idxlo": "418685",
        "idxhi": "3670016"
      },
      "offset": 25660891,
      "level": "info",
      "origin": {
        "file": {
          "line": 1269,
          "name": "FileScore.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "FileScore.cpp:1269 Sending alert for [C:\\Program Files\\HCL\\Notes\\nnotes.dll]",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2023-12-18T09:15:57.119Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": ["sanitized"
      ],
      "name": "z440",
      "id": "sanitized",
      "mac": ["sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-12-18T09:16:05Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      7020
    ],
    "host.mac": ["sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": ["sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1269
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "3670016"
    ],
    "log.file.idxlo": [
      "418685"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      25660891
    ],
    "message": [
      "FileScore.cpp:1269 Sending alert for [C:\\Program Files\\HCL\\Notes\\nnotes.dll]"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2023-12-18T09:16:05.000Z"
    ],
    "@timestamp": [
      "2023-12-18T09:15:57.119Z"
    ],
    "log.origin.file.name": [
      "FileScore.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      9848
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}


{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "9KILfIwBaCcbaQM-f4dc",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 7020,
      "thread": {
        "id": 9844
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "type": "endpoint",
      "ephemeral_id": "sanitized",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log",
        "vol": "339111792",
        "idxlo": "418685",
        "idxhi": "3670016"
      },
      "offset": 25269184,
      "level": "info",
      "origin": {
        "file": {
          "line": 1258,
          "name": "FileScore.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "FileScore.cpp:1258 Sending diagnostic alert for [C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL]",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2023-12-18T08:29:33.103Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "sanitized"
      ],
      "name": "z440",
      "id": "826188d2-e4f6-4025-9514-686022babc2d",
      "mac": [
        "sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-12-18T08:29:37Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      7020
    ],
    "host.mac": [
      "sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": [
      "sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1258
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "3670016"
    ],
    "log.file.idxlo": [
      "418685"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      25269184
    ],
    "message": [
      "FileScore.cpp:1258 Sending diagnostic alert for [C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL]"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2023-12-18T08:29:37.000Z"
    ],
    "@timestamp": [
      "2023-12-18T08:29:33.103Z"
    ],
    "log.origin.file.name": [
      "FileScore.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      9844
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}

Also funny - now the exception is creating a daily info as the file can not be restored from quarantain:

{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "MU54yYwBaCcbaQM-Z5Po",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 6684,
      "thread": {
        "id": 7328
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "ephemeral_id": "sanitized",
      "type": "endpoint",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000071.log",
        "vol": "339111792",
        "idxlo": "69488",
        "idxhi": "8650752"
      },
      "offset": 19272087,
      "level": "info",
      "origin": {
        "file": {
          "line": 1007,
          "name": "PlatformQuarantineManager.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "PlatformQuarantineManager.cpp:1007 Attempting to restore quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2024-01-02T09:19:18.086Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "sanitized"
      ],
      "name": "z440",
      "id": "sanitized",
      "mac": [
        "sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-01-02T09:19:20Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      6684
    ],
    "host.mac": [
      "sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": [
      "sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1007
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "8650752"
    ],
    "log.file.idxlo": [
      "69488"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      19272087
    ],
    "message": [
      "PlatformQuarantineManager.cpp:1007 Attempting to restore quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2024-01-02T09:19:20.000Z"
    ],
    "@timestamp": [
      "2024-01-02T09:19:18.086Z"
    ],
    "log.origin.file.name": [
      "PlatformQuarantineManager.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000071.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      7328
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}

ferullo · January 3, 2024, 3:46pm

Those are Endpoint log messages that were ingested into Elasticsearch, not the actual alert documents.

You can find the alerts in the logs-endpoint.alerts-* index pattern. They do get copied to another index to enable some SIEM features, but the original alert documents Endpoint generates are in the index I mentioned. Those will have the one or both of the fields I described.

GKre · January 4, 2024, 5:12pm

Well - i this what you are looking for?

{
  "_index": ".internal.alerts-security.alerts-default-000007",
  "_id": "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863",
  "_version": 1,
  "_score": 0,
  "_source": {
    "kibana.alert.start": "2023-11-11T16:51:02.405Z",
    "kibana.alert.last_detected": "2023-11-11T16:51:02.405Z",
    "kibana.version": "8.10.4",
    "kibana.alert.rule.parameters": {
      "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
      "risk_score": 47,
      "severity": "medium",
      "license": "Elastic License v2",
      "rule_name_override": "message",
      "timestamp_override": "event.ingested",
      "author": [
        "Elastic"
      ],
      "false_positives": [],
      "from": "now-10m",
      "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
      "max_signals": 10000,
      "risk_score_mapping": [
        {
          "field": "event.risk_score",
          "operator": "equals",
          "value": ""
        }
      ],
      "severity_mapping": [
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "low",
          "value": "21"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "medium",
          "value": "47"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "high",
          "value": "73"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "critical",
          "value": "99"
        }
      ],
      "threat": [],
      "to": "now",
      "references": [],
      "version": 101,
      "exceptions_list": [
        {
          "id": "endpoint_list",
          "list_id": "endpoint_list",
          "namespace_type": "agnostic",
          "type": "endpoint"
        },
        {
          "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
          "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
          "type": "rule_default",
          "namespace_type": "single"
        }
      ],
      "immutable": true,
      "related_integrations": [
        {
          "package": "endpoint",
          "version": "^8.2.0"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "event.kind",
          "type": "keyword"
        },
        {
          "ecs": true,
          "name": "event.module",
          "type": "keyword"
        }
      ],
      "setup": "",
      "type": "query",
      "language": "kuery",
      "index": [
        "logs-endpoint.alerts-*"
      ],
      "query": "event.kind:alert and event.module:(endpoint and not endgame)\n"
    },
    "kibana.alert.rule.category": "Custom Query Rule",
    "kibana.alert.rule.consumer": "siem",
    "kibana.alert.rule.execution.uuid": "27c57c10-680d-4839-b24c-c572b42273f8",
    "kibana.alert.rule.name": "Malware Prevention Alert",
    "kibana.alert.rule.producer": "siem",
    "kibana.alert.rule.revision": 102,
    "kibana.alert.rule.rule_type_id": "siem.queryRule",
    "kibana.alert.rule.uuid": "4b974c60-caed-11ed-9d31-81c7b0c1937c",
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "@timestamp": "2023-11-11T16:51:02.059Z",
    "agent": {
      "build": {
        "original": "version: 8.10.4, compiled: Wed Oct 11 19:00:00 2023, branch: HEAD, commit: 8442397386468c4ab954a0a34406e209336efa7b"
      },
      "id": "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b",
      "type": "endpoint",
      "version": "8.10.4"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTgyODAtMTY5OTY5MjExMC41NTk5ODk0MDA=",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNTI4LTE2OTk2OTEyMzIuNDk3NDc2NDAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNDI4LTE2OTk2OTEyMzIuMzgwMDAyNzAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTE2NjAtMTY5OTY5MTIwNy45NTI4MTQ4MDA="
        ],
        "code_signature": [
          {
            "trusted": true,
            "subject_name": "HCL America Inc.",
            "exists": true,
            "status": "trusted"
          }
        ],
        "protection": "",
        "user": "sanitized",
        "architecture": "x86_64",
        "token": {
          "elevation": true,
          "integrity_level_name": "high",
          "domain": "sanitized",
          "user": "sanitized",
          "elevation_type": "full",
          "sid": "sanitized"
        }
      },
      "parent": {
        "Ext": {
          "code_signature": [
            {
              "trusted": true,
              "subject_name": "HCL America Inc.",
              "exists": true,
              "status": "trusted"
            }
          ],
          "protection": "",
          "user": "sanitized",
          "architecture": "x86_64"
        },
        "start": "2023-11-11T08:41:50.6898284Z",
        "pid": 20724,
        "entity_id": "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
        "executable": "C:\\Program Files\\HCL\\Notes\\nlnotes.exe",
        "ppid": 8280,
        "uptime": 29112,
        "args": [
          "NLNOTES.EXE",
          "/authenticate",
          "=C:\\Program Files\\HCL\\Notes\\notes.ini"
        ],
        "code_signature": {
          "trusted": true,
          "subject_name": "HCL America Inc.",
          "exists": true,
          "status": "trusted"
        },
        "name": "nlnotes.exe",
        "args_count": 3,
        "command_line": "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\"",
        "hash": {
          "sha1": "18744a2becf9a09c7fe144b85c4ea3713c531b6f",
          "sha256": "f081c841225bf644c340653550b6b01c9f3e38db4dd1837293341730388b2b37",
          "md5": "c1d5757a457b7c9f53855d19242a43c5"
        }
      },
      "start": "2023-11-11T16:46:51.4452124Z",
      "pid": 24680,
      "entity_id": "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTI0NjgwLTE2OTk3MjEyMTEuNDQ1MjEyNDAw",
      "executable": "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe",
      "uptime": 11,
      "args": [
        "C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE",
        "16",
        ""
      ],
      "code_signature": {
        "trusted": true,
        "subject_name": "HCL America Inc.",
        "exists": true,
        "status": "trusted"
      },
      "pe": {},
      "name": "ndyncfg.exe",
      "args_count": 3,
      "command_line": "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\"",
      "hash": {
        "sha1": "b595c7ef71a79423dfa12d8a012fae4e0d867554",
        "sha256": "69e18d622d1c1234b1beeec02f621206ff398c7055cc85b068264d9e0f6c3e9b",
        "md5": "78eb8ad61288617799a2f9f20d71c70c"
      }
    },
    "rule": {
      "name": "Multi.EICAR.Not-a-virus",
      "ruleset": "production",
      "id": "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    },
    "message": "Malware Prevention Alert",
    "file": {
      "Ext": {
        "temp_file_path": "",
        "malware_signature": {
          "secondary": [],
          "identifier": "production-malware-signature-v1-windows",
          "all_names": "Multi.EICAR.Not-a-virus",
          "version": "1.0.34",
          "primary": {
            "signature": {
              "name": "Multi.EICAR.Not-a-virus",
              "id": "ac8f42d6-52da-46ec-8db1-5a5f69222a38",
              "hash": {
                "sha256": "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd"
              }
            },
            "matches": [
              "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
            ]
          }
        },
        "code_signature": [
          {
            "exists": false
          }
        ],
        "quarantine_path": "",
        "quarantine_message": "Failure to open file",
        "quarantine_result": false,
        "malware_classification": {
          "identifier": "endpointpe-v4-model",
          "score": 1,
          "threshold": 0.58,
          "version": "4.0.37000"
        }
      },
      "owner": "SYSTEM",
      "extension": "dll",
      "drive_letter": "C",
      "created": "2022-11-03T00:35:28.0Z",
      "accessed": "2023-11-11T12:44:46.5606137Z",
      "mtime": "2022-11-03T00:35:28.0Z",
      "directory": "C:\\PROGRAM FILES\\HCL\\NOTES",
      "path": "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL",
      "code_signature": {
        "exists": false
      },
      "size": 41242624,
      "pe": {
        "file_version": "12.0.200.22306",
        "product": "HCL Notes/Domino",
        "description": "HCL Notes/Domino",
        "company": "HCL Technologies Ltd",
        "original_file_name": ""
      },
      "name": "NNOTES.DLL",
      "hash": {
        "sha1": "b37ae7837aed007375f321d37866290aeb608870",
        "sha256": "2aff03ee51a3d81ae0f29a82717cfe5ee54deafb894768b42ccd8161c15ff7b2",
        "md5": "8013828ca8e799891da02585b1962fca"
      }
    },
    "Endpoint": {
      "policy": {
        "applied": {
          "artifacts": {
            "global": {
              "identifiers": [
                {
                  "sha256": "2be4541e338528477b119c2ec50e7abdb638b093591e95c17e1db4132621b39e",
                  "name": "diagnostic-configuration-v1"
                },
                {
                  "sha256": "17d8695f22d3817c426a0e08a477b88ecdb6088bc253dfbccc760224600afcfd",
                  "name": "diagnostic-endpointpe-v4-blocklist"
                },
                {
                  "sha256": "e899eb51199bd145c2f9af25429aebee73790fe33d2f6ceada8d2659554887ba",
                  "name": "diagnostic-endpointpe-v4-exceptionlist"
                },
                {
                  "sha256": "c01842ec8a5f29b3780162b8251da3caa913b1c493877a4ce9a77bce9464ce21",
                  "name": "diagnostic-endpointpe-v4-model"
                },
                {
                  "sha256": "563a9106d2d895302935f8a6545961062c083214a3e5b66aadad1b0145bdba64",
                  "name": "diagnostic-malware-signature-v1-windows"
                },
                {
                  "sha256": "cb611e8d2bdb3a9e87e34fc395f3e5b420ed41c1bd6624cb400e1869dd965f75",
                  "name": "diagnostic-ransomware-v1-windows"
                },
                {
                  "sha256": "7129b458a4d87d63588605f577145fbf808a8f936e49fecfa2c057d16f0c9f60",
                  "name": "diagnostic-rules-windows-v1"
                },
                {
                  "sha256": "f864be0d57a9b43915bc20521c9168cad6984aeca5e3b08a755ea1b9559384d7",
                  "name": "endpointpe-v4-blocklist"
                },
                {
                  "sha256": "0ada9ce7d8dc8aad66dd1fd2ccd828b21b785e01ae8b0723ca099c46c78b18b1",
                  "name": "endpointpe-v4-exceptionlist"
                },
                {
                  "sha256": "1faaa8f819d6b224fd9ffd48fc8fdf0891fb8ec720e9f108439dc616db53dd10",
                  "name": "endpointpe-v4-model"
                },
                {
                  "sha256": "aeb5953de77e2d83388e69705e7f5c7c0cc752a8b9efd075de713bc45d74c911",
                  "name": "global-configuration-v1"
                },
                {
                  "sha256": "6815da3fe249428c5bc6f78eae18878affb173619d45ea1dbb540a0625b32121",
                  "name": "global-eventfilterlist-windows-v1"
                },
                {
                  "sha256": "e42945d9b870c93a827dd6157765d96620943d494b98ea8935a6f66473d270ac",
                  "name": "global-exceptionlist-windows"
                },
                {
                  "sha256": "bb457a407544d2e8156be689eb460e0de93b1d3d1d9f1e431ecf41065a58286f",
                  "name": "global-trustlist-windows-v1"
                },
                {
                  "sha256": "08418b42390837b9aeec5099df4ab63394a7d32118a30922ff57c75c71a55d63",
                  "name": "production-malware-signature-v1-windows"
                },
                {
                  "sha256": "b35d822a94e6e9129c9c736474bac0e95ebde2b11bc33d0c6e0311cd33152218",
                  "name": "production-ransomware-v1-windows"
                },
                {
                  "sha256": "be788888a04e9fe92590d86cfc9b4dd4ca4da29ea75a6259b537edb1136e861b",
                  "name": "production-rules-windows-v1"
                }
              ],
              "version": "1.0.800"
            },
            "user": {
              "identifiers": [
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-blocklist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-eventfilterlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-exceptionlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-hostisolationexceptionlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-trustlist-windows-v1"
                }
              ],
              "version": "1.0.2"
            }
          }
        }
      }
    },
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.alerts"
    },
    "elastic": {
      "agent": {
        "id": "sanitized"
      }
    },
    "host": {
      "hostname": "sanitized",
      "os": {
        "Ext": {
          "variant": "Windows 11 Enterprise"
        },
        "kernel": "23H2 (10.0.22631.2506)",
        "name": "Windows",
        "family": "windows",
        "type": "windows",
        "version": "23H2 (10.0.22631.2506)",
        "platform": "windows",
        "full": "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
      },
      "ip": [
        "192.168.0.89",
        "fd77:ade4:e825:0:62c6:f4f2:e781:6be2",
        "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
        "fd77:ade4:e825:0:e167:ccfd:c963:4d61",
        "fe80::64bd:5247:7486:1fa",
        "169.254.172.144",
        "fe80::e703:f3ea:355f:a986",
        "127.0.0.1",
        "::1",
        "172.26.160.1",
        "fe80::926e:7ead:d658:2068",
        "172.17.160.1",
        "fe80::49a3:5cb3:c5b0:e9",
        "172.29.16.1",
        "fe80::5890:a2d9:115f:fd4"
      ],
      "name": "sanitized",
      "id": "826188d2-e4f6-4025-9514-686022babc2d",
      "mac": [
        "3c-52-82-77-12-96",
        "f4-4e-fc-a3-13-89",
        "00-15-5d-a5-4b-30",
        "00-15-5d-83-f0-31",
        "00-15-5d-cd-f9-f4"
      ],
      "architecture": "x86_64"
    },
    "user": {
      "domain": "sanitized",
      "name": "sanitized"
    },
    "event.severity": 73,
    "event.code": "malicious_file",
    "event.risk_score": 73,
    "event.created": "2023-11-11T16:47:02.7003923Z",
    "event.kind": "signal",
    "event.module": "endpoint",
    "event.type": [
      "info",
      "start",
      "denied"
    ],
    "event.agent_id_status": "verified",
    "event.sequence": 299077,
    "event.ingested": "2023-11-11T16:47:07Z",
    "event.action": "load",
    "event.id": "NIwuns2CFY7KnSHf++++2gul",
    "event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "event.dataset": "endpoint.alerts",
    "event.outcome": "success",
    "kibana.alert.original_time": "2023-11-11T16:47:02.700Z",
    "kibana.alert.ancestors": [
      {
        "id": "Yk5Hv4sBCfe7LkV2qyLr",
        "type": "event",
        "index": ".ds-logs-endpoint.alerts-default-2023.11.10-000007",
        "depth": 0
      }
    ],
    "kibana.alert.status": "active",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.depth": 1,
    "kibana.alert.reason": "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert.",
    "kibana.alert.severity": "high",
    "kibana.alert.risk_score": 73,
    "kibana.alert.rule.actions": [],
    "kibana.alert.rule.author": [
      "Elastic"
    ],
    "kibana.alert.rule.created_at": "2023-03-25T09:13:25.949Z",
    "kibana.alert.rule.created_by": "elastic",
    "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
    "kibana.alert.rule.enabled": true,
    "kibana.alert.rule.exceptions_list": [
      {
        "id": "endpoint_list",
        "list_id": "endpoint_list",
        "namespace_type": "agnostic",
        "type": "endpoint"
      },
      {
        "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
        "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
        "type": "rule_default",
        "namespace_type": "single"
      }
    ],
    "kibana.alert.rule.false_positives": [],
    "kibana.alert.rule.from": "now-10m",
    "kibana.alert.rule.immutable": true,
    "kibana.alert.rule.interval": "5m",
    "kibana.alert.rule.indices": [
      "logs-endpoint.alerts-*"
    ],
    "kibana.alert.rule.license": "Elastic License v2",
    "kibana.alert.rule.max_signals": 10000,
    "kibana.alert.rule.references": [],
    "kibana.alert.rule.risk_score_mapping": [
      {
        "field": "event.risk_score",
        "operator": "equals",
        "value": ""
      }
    ],
    "kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
    "kibana.alert.rule.rule_name_override": "message",
    "kibana.alert.rule.severity_mapping": [
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "low",
        "value": "21"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "medium",
        "value": "47"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "high",
        "value": "73"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "critical",
        "value": "99"
      }
    ],
    "kibana.alert.rule.threat": [],
    "kibana.alert.rule.timestamp_override": "event.ingested",
    "kibana.alert.rule.to": "now",
    "kibana.alert.rule.type": "query",
    "kibana.alert.rule.updated_at": "2023-09-30T08:13:05.346Z",
    "kibana.alert.rule.updated_by": "elastic",
    "kibana.alert.rule.version": 101,
    "kibana.alert.url": "https://kali-purple.sanitized.local:5601/app/security/alerts/redirect/0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863?index=.alerts-security.alerts-default&timestamp=2023-11-11T16:51:02.059Z",
    "kibana.alert.uuid": "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863",
    "kibana.alert.workflow_tags": [],
    "kibana.alert.rule.risk_score": 47,
    "kibana.alert.rule.severity": "medium",
    "kibana.alert.original_event.severity": 73,
    "kibana.alert.original_event.code": "malicious_file",
    "kibana.alert.original_event.risk_score": 73,
    "kibana.alert.original_event.created": "2023-11-11T16:47:02.7003923Z",
    "kibana.alert.original_event.kind": "alert",
    "kibana.alert.original_event.module": "endpoint",
    "kibana.alert.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "kibana.alert.original_event.agent_id_status": "verified",
    "kibana.alert.original_event.sequence": 299077,
    "kibana.alert.original_event.ingested": "2023-11-11T16:47:07Z",
    "kibana.alert.original_event.action": "load",
    "kibana.alert.original_event.id": "NIwuns2CFY7KnSHf++++2gul",
    "kibana.alert.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "kibana.alert.original_event.dataset": "endpoint.alerts",
    "kibana.alert.original_event.outcome": "success"
  },
  "fields": {
    "process.hash.md5": [
      "78eb8ad61288617799a2f9f20d71c70c"
    ],
    "host.os.full.text": [
      "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
    ],
    "kibana.alert.rule.updated_by": [
      "elastic"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "kibana.alert.rule.rule_name_override": [
      "message"
    ],
    "process.hash.sha256": [
      "69e18d622d1c1234b1beeec02f621206ff398c7055cc85b068264d9e0f6c3e9b"
    ],
    "host.hostname": [
      "sanitized"
    ],
    "signal.original_event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "host.mac": [
      "3c-52-82-77-12-96",
      "f4-4e-fc-a3-13-89",
      "00-15-5d-a5-4b-30",
      "00-15-5d-83-f0-31",
      "00-15-5d-cd-f9-f4"
    ],
    "elastic.agent.id": [
      "sanitized"
    ],
    "signal.rule.enabled": [
      "true"
    ],
    "file.Ext.malware_classification.version": [
      "4.0.37000"
    ],
    "host.os.version": [
      "23H2 (10.0.22631.2506)"
    ],
    "signal.rule.max_signals": [
      10000
    ],
    "file.mtime": [
      "2022-11-03T00:35:28.000Z"
    ],
    "kibana.alert.risk_score": [
      73
    ],
    "signal.rule.updated_at": [
      "2023-09-30T08:13:05.346Z"
    ],
    "kibana.alert.original_event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "event.severity": [
      73
    ],
    "file.pe.company": [
      "HCL Technologies Ltd"
    ],
    "file.path.text": [
      "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL"
    ],
    "file.created": [
      "2022-11-03T00:35:28.000Z"
    ],
    "host.os.type": [
      "windows"
    ],
    "process.Ext.architecture": [
      "x86_64"
    ],
    "signal.original_event.code": [
      "malicious_file"
    ],
    "kibana.alert.original_event.module": [
      "endpoint"
    ],
    "kibana.alert.rule.interval": [
      "5m"
    ],
    "kibana.alert.rule.type": [
      "query"
    ],
    "kibana.alert.rule.immutable": [
      "true"
    ],
    "kibana.alert.rule.exceptions_list.list_id": [
      "endpoint_list",
      "a9df891a-c035-4822-8d74-1f79fed9b041"
    ],
    "file.owner": [
      "SYSTEM"
    ],
    "kibana.alert.rule.version": [
      "101"
    ],
    "file.Ext.malware_classification.threshold": [
      0.58
    ],
    "process.command_line.text": [
      "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\""
    ],
    "file.Ext.malware_signature.primary.matches": [
      "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
    ],
    "file.hash.md5": [
      "8013828ca8e799891da02585b1962fca"
    ],
    "signal.original_event.outcome": [
      "success"
    ],
    "file.Ext.malware_classification.identifier": [
      "endpointpe-v4-model"
    ],
    "process.entity_id": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTI0NjgwLTE2OTk3MjEyMTEuNDQ1MjEyNDAw"
    ],
    "process.parent.code_signature.status": [
      "trusted"
    ],
    "host.ip": [
      "192.168.0.89",
      "fd77:ade4:e825:0:62c6:f4f2:e781:6be2",
      "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
      "fd77:ade4:e825:0:e167:ccfd:c963:4d61",
      "fe80::64bd:5247:7486:1fa",
      "169.254.172.144",
      "fe80::e703:f3ea:355f:a986",
      "127.0.0.1",
      "::1",
      "172.26.160.1",
      "fe80::926e:7ead:d658:2068",
      "172.17.160.1",
      "fe80::49a3:5cb3:c5b0:e9",
      "172.29.16.1",
      "fe80::5890:a2d9:115f:fd4"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe"
    ],
    "signal.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "file.pe.product": [
      "HCL Notes/Domino"
    ],
    "host.id": [
      "826188d2-e4f6-4025-9514-686022babc2d"
    ],
    "process.parent.hash.sha256": [
      "f081c841225bf644c340653550b6b01c9f3e38db4dd1837293341730388b2b37"
    ],
    "process.Ext.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "file.Ext.malware_signature.all_names": [
      "Multi.EICAR.Not-a-virus"
    ],
    "kibana.alert.rule.indices": [
      "logs-endpoint.alerts-*"
    ],
    "host.os.Ext.variant": [
      "Windows 11 Enterprise"
    ],
    "signal.rule.updated_by": [
      "elastic"
    ],
    "host.os.platform": [
      "windows"
    ],
    "kibana.alert.rule.severity": [
      "medium"
    ],
    "Endpoint.policy.applied.artifacts.user.identifiers.sha256": [
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
    ],
    "file.Ext.malware_signature.identifier": [
      "production-malware-signature-v1-windows"
    ],
    "kibana.version": [
      "8.10.4"
    ],
    "event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "signal.ancestors.type": [
      "event"
    ],
    "user.name.text": [
      "sanitized"
    ],
    "kibana.alert.ancestors.id": [
      "Yk5Hv4sBCfe7LkV2qyLr"
    ],
    "process.name.text": [
      "ndyncfg.exe"
    ],
    "host.os.full": [
      "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
    ],
    "process.parent.Ext.code_signature.trusted": [
      true
    ],
    "kibana.alert.original_event.code": [
      "malicious_file"
    ],
    "Endpoint.policy.applied.artifacts.global.identifiers.name": [
      "diagnostic-configuration-v1",
      "diagnostic-endpointpe-v4-blocklist",
      "diagnostic-endpointpe-v4-exceptionlist",
      "diagnostic-endpointpe-v4-model",
      "diagnostic-malware-signature-v1-windows",
      "diagnostic-ransomware-v1-windows",
      "diagnostic-rules-windows-v1",
      "endpointpe-v4-blocklist",
      "endpointpe-v4-exceptionlist",
      "endpointpe-v4-model",
      "global-configuration-v1",
      "global-eventfilterlist-windows-v1",
      "global-exceptionlist-windows",
      "global-trustlist-windows-v1",
      "production-malware-signature-v1-windows",
      "production-ransomware-v1-windows",
      "production-rules-windows-v1"
    ],
    "kibana.alert.rule.description": [
      "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts."
    ],
    "kibana.alert.rule.producer": [
      "siem"
    ],
    "kibana.alert.rule.to": [
      "now"
    ],
    "Endpoint.policy.applied.artifacts.user.version": [
      "1.0.2"
    ],
    "kibana.alert.original_event.ingested": [
      "2023-11-11T16:47:07.000Z"
    ],
    "signal.rule.id": [
      "4b974c60-caed-11ed-9d31-81c7b0c1937c"
    ],
    "rule.ruleset": [
      "production"
    ],
    "signal.reason": [
      "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert."
    ],
    "signal.rule.risk_score": [
      73
    ],
    "host.os.name": [
      "Windows"
    ],
    "process.parent.Ext.code_signature.exists": [
      true
    ],
    "signal.status": [
      "open"
    ],
    "kibana.alert.rule.severity_mapping.value": [
      "21",
      "47",
      "73",
      "99"
    ],
    "signal.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "file.Ext.code_signature.exists": [
      false
    ],
    "rule.name": [
      "Multi.EICAR.Not-a-virus"
    ],
    "kibana.alert.rule.uuid": [
      "4b974c60-caed-11ed-9d31-81c7b0c1937c"
    ],
    "kibana.alert.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "signal.original_event.risk_score": [
      73
    ],
    "process.name": [
      "ndyncfg.exe"
    ],
    "process.parent.executable.text": [
      "C:\\Program Files\\HCL\\Notes\\nlnotes.exe"
    ],
    "kibana.alert.ancestors.index": [
      ".ds-logs-endpoint.alerts-default-2023.11.10-000007"
    ],
    "process.Ext.code_signature.trusted": [
      true
    ],
    "agent.version": [
      "8.10.4"
    ],
    "signal.original_event.severity": [
      73
    ],
    "kibana.alert.rule.risk_score_mapping.operator": [
      "equals"
    ],
    "host.os.family": [
      "windows"
    ],
    "kibana.alert.rule.from": [
      "now-10m"
    ],
    "kibana.alert.rule.parameters": [
      {
        "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
        "risk_score": 47,
        "severity": "medium",
        "license": "Elastic License v2",
        "rule_name_override": "message",
        "timestamp_override": "event.ingested",
        "author": [
          "Elastic"
        ],
        "false_positives": [],
        "from": "now-10m",
        "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
        "max_signals": 10000,
        "risk_score_mapping": [
          {
            "field": "event.risk_score",
            "operator": "equals",
            "value": ""
          }
        ],
        "severity_mapping": [
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "low",
            "value": "21"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "medium",
            "value": "47"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "high",
            "value": "73"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "critical",
            "value": "99"
          }
        ],
        "threat": [],
        "to": "now",
        "references": [],
        "version": 101,
        "exceptions_list": [
          {
            "id": "endpoint_list",
            "list_id": "endpoint_list",
            "namespace_type": "agnostic",
            "type": "endpoint"
          },
          {
            "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
            "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
            "type": "rule_default",
            "namespace_type": "single"
          }
        ],
        "immutable": true,
        "related_integrations": [
          {
            "package": "endpoint",
            "version": "^8.2.0"
          }
        ],
        "required_fields": [
          {
            "ecs": true,
            "name": "event.kind",
            "type": "keyword"
          },
          {
            "ecs": true,
            "name": "event.module",
            "type": "keyword"
          }
        ],
        "setup": "",
        "type": "query",
        "language": "kuery",
        "index": [
          "logs-endpoint.alerts-*"
        ],
        "query": "event.kind:alert and event.module:(endpoint and not endgame)\n"
      }
    ],
    "signal.original_event.kind": [
      "alert"
    ],
    "file.Ext.quarantine_result": [
      false
    ],
    "signal.depth": [
      1
    ],
    "signal.rule.immutable": [
      "true"
    ],
    "process.parent.name.text": [
      "nlnotes.exe"
    ],
    "event.sequence": [
      299077
    ],
    "signal.rule.name": [
      "Malware Prevention Alert"
    ],
    "file.Ext.malware_signature.version": [
      "1.0.34"
    ],
    "event.module": [
      "endpoint"
    ],
    "kibana.alert.rule.severity_mapping.operator": [
      "equals",
      "equals",
      "equals",
      "equals"
    ],
    "host.os.kernel": [
      "23H2 (10.0.22631.2506)"
    ],
    "process.parent.Ext.user": [
      "sanitized"
    ],
    "file.accessed": [
      "2023-11-11T12:44:46.560Z"
    ],
    "kibana.alert.rule.license": [
      "Elastic License v2"
    ],
    "kibana.alert.original_event.kind": [
      "alert"
    ],
    "process.parent.command_line.text": [
      "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\""
    ],
    "signal.rule.description": [
      "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts."
    ],
    "process.Ext.token.elevation_type": [
      "full"
    ],
    "process.args": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE",
      "16",
      ""
    ],
    "process.parent.uptime": [
      29112
    ],
    "file.Ext.malware_signature.primary.signature.hash.sha256": [
      "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd"
    ],
    "message": [
      "Malware Prevention Alert"
    ],
    "process.parent.hash.sha1": [
      "18744a2becf9a09c7fe144b85c4ea3713c531b6f"
    ],
    "file.drive_letter": [
      "C"
    ],
    "kibana.alert.original_event.outcome": [
      "success"
    ],
    "kibana.alert.original_event.sequence": [
      299077
    ],
    "process.Ext.user": [
      "sanitized"
    ],
    "file.Ext.malware_classification.score": [
      1
    ],
    "kibana.alert.rule.exceptions_list.namespace_type": [
      "agnostic",
      "single"
    ],
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.severity": [
      "high"
    ],
    "rule.id": [
      "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    ],
    "file.Ext.quarantine_message": [
      "Failure to open file"
    ],
    "file.pe.description": [
      "HCL Notes/Domino"
    ],
    "signal.ancestors.depth": [
      0
    ],
    "event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "Endpoint.policy.applied.artifacts.global.identifiers.sha256": [
      "2be4541e338528477b119c2ec50e7abdb638b093591e95c17e1db4132621b39e",
      "17d8695f22d3817c426a0e08a477b88ecdb6088bc253dfbccc760224600afcfd",
      "e899eb51199bd145c2f9af25429aebee73790fe33d2f6ceada8d2659554887ba",
      "c01842ec8a5f29b3780162b8251da3caa913b1c493877a4ce9a77bce9464ce21",
      "563a9106d2d895302935f8a6545961062c083214a3e5b66aadad1b0145bdba64",
      "cb611e8d2bdb3a9e87e34fc395f3e5b420ed41c1bd6624cb400e1869dd965f75",
      "7129b458a4d87d63588605f577145fbf808a8f936e49fecfa2c057d16f0c9f60",
      "f864be0d57a9b43915bc20521c9168cad6984aeca5e3b08a755ea1b9559384d7",
      "0ada9ce7d8dc8aad66dd1fd2ccd828b21b785e01ae8b0723ca099c46c78b18b1",
      "1faaa8f819d6b224fd9ffd48fc8fdf0891fb8ec720e9f108439dc616db53dd10",
      "aeb5953de77e2d83388e69705e7f5c7c0cc752a8b9efd075de713bc45d74c911",
      "6815da3fe249428c5bc6f78eae18878affb173619d45ea1dbb540a0625b32121",
      "e42945d9b870c93a827dd6157765d96620943d494b98ea8935a6f66473d270ac",
      "bb457a407544d2e8156be689eb460e0de93b1d3d1d9f1e431ecf41065a58286f",
      "08418b42390837b9aeec5099df4ab63394a7d32118a30922ff57c75c71a55d63",
      "b35d822a94e6e9129c9c736474bac0e95ebde2b11bc33d0c6e0311cd33152218",
      "be788888a04e9fe92590d86cfc9b4dd4ca4da29ea75a6259b537edb1136e861b"
    ],
    "process.parent.command_line": [
      "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\""
    ],
    "process.parent.name": [
      "nlnotes.exe"
    ],
    "process.parent.pid": [
      20724
    ],
    "kibana.alert.original_event.risk_score": [
      73
    ],
    "kibana.alert.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "process.code_signature.exists": [
      true
    ],
    "kibana.alert.ancestors.depth": [
      0
    ],
    "kibana.alert.rule.severity_mapping.severity": [
      "low",
      "medium",
      "high",
      "critical"
    ],
    "agent.build.original": [
      "version: 8.10.4, compiled: Wed Oct 11 19:00:00 2023, branch: HEAD, commit: 8442397386468c4ab954a0a34406e209336efa7b"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.outcome": [
      "success"
    ],
    "process.parent.Ext.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "kibana.alert.rule.risk_score_mapping.value": [
      ""
    ],
    "file.Ext.temp_file_path": [
      ""
    ],
    "process.Ext.ancestry": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTgyODAtMTY5OTY5MjExMC41NTk5ODk0MDA=",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNTI4LTE2OTk2OTEyMzIuNDk3NDc2NDAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNDI4LTE2OTk2OTEyMzIuMzgwMDAyNzAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTE2NjAtMTY5OTY5MTIwNy45NTI4MTQ4MDA="
    ],
    "process.parent.start": [
      "2023-11-11T08:41:50.689Z"
    ],
    "signal.original_event.sequence": [
      299077
    ],
    "file.Ext.malware_signature.primary.signature.name": [
      "Multi.EICAR.Not-a-virus"
    ],
    "event.risk_score": [
      73
    ],
    "host.architecture": [
      "x86_64"
    ],
    "kibana.alert.start": [
      "2023-11-11T16:51:02.405Z"
    ],
    "process.Ext.code_signature.status": [
      "trusted"
    ],
    "event.code": [
      "malicious_file"
    ],
    "kibana.alert.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "agent.id": [
      "sanitized"
    ],
    "signal.original_event.module": [
      "endpoint"
    ],
    "process.parent.code_signature.trusted": [
      true
    ],
    "signal.rule.from": [
      "now-10m"
    ],
    "kibana.alert.rule.exceptions_list.type": [
      "endpoint",
      "rule_default"
    ],
    "process.Ext.token.domain": [
      "sanitized"
    ],
    "kibana.alert.rule.enabled": [
      "true"
    ],
    "kibana.alert.ancestors.type": [
      "event"
    ],
    "signal.ancestors.index": [
      ".ds-logs-endpoint.alerts-default-2023.11.10-000007"
    ],
    "user.name": [
      "sanitized"
    ],
    "Endpoint.policy.applied.artifacts.global.version": [
      "1.0.800"
    ],
    "signal.original_event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "file.hash.sha256": [
      "2aff03ee51a3d81ae0f29a82717cfe5ee54deafb894768b42ccd8161c15ff7b2"
    ],
    "process.uptime": [
      11
    ],
    "user.domain": [
      "sanitized"
    ],
    "process.parent.Ext.architecture": [
      "x86_64"
    ],
    "process.Ext.token.integrity_level_name": [
      "high"
    ],
    "signal.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "file.directory": [
      "C:\\PROGRAM FILES\\HCL\\NOTES"
    ],
    "process.parent.hash.md5": [
      "c1d5757a457b7c9f53855d19242a43c5"
    ],
    "kibana.alert.rule.max_signals": [
      10000
    ],
    "signal.rule.author": [
      "Elastic"
    ],
    "kibana.alert.rule.risk_score": [
      47
    ],
    "file.name": [
      "NNOTES.DLL"
    ],
    "process.Ext.token.sid": [
      "S-1-5-21-2879460198-942447916-2540470768-1156"
    ],
    "process.code_signature.status": [
      "trusted"
    ],
    "signal.original_event.dataset": [
      "endpoint.alerts"
    ],
    "kibana.alert.rule.consumer": [
      "siem"
    ],
    "kibana.alert.rule.category": [
      "Custom Query Rule"
    ],
    "event.action": [
      "load"
    ],
    "event.ingested": [
      "2023-11-11T16:47:07.000Z"
    ],
    "@timestamp": [
      "2023-11-11T16:51:02.059Z"
    ],
    "kibana.alert.original_event.action": [
      "load"
    ],
    "kibana.alert.original_event.agent_id_status": [
      "verified"
    ],
    "data_stream.dataset": [
      "endpoint.alerts"
    ],
    "signal.rule.timestamp_override": [
      "event.ingested"
    ],
    "kibana.alert.rule.execution.uuid": [
      "27c57c10-680d-4839-b24c-c572b42273f8"
    ],
    "kibana.alert.uuid": [
      "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863"
    ],
    "process.hash.sha1": [
      "b595c7ef71a79423dfa12d8a012fae4e0d867554"
    ],
    "Endpoint.policy.applied.artifacts.user.identifiers.name": [
      "endpoint-blocklist-windows-v1",
      "endpoint-eventfilterlist-windows-v1",
      "endpoint-exceptionlist-windows-v1",
      "endpoint-hostisolationexceptionlist-windows-v1",
      "endpoint-trustlist-windows-v1"
    ],
    "signal.rule.license": [
      "Elastic License v2"
    ],
    "kibana.alert.rule.rule_id": [
      "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
    ],
    "file.path": [
      "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL"
    ],
    "signal.rule.type": [
      "query"
    ],
    "signal.rule.rule_name_override": [
      "message"
    ],
    "kibana.alert.url": [
      "https://kali-purple.sanitized.local:5601/app/security/alerts/redirect/0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863?index=.alerts-security.alerts-default&timestamp=2023-11-11T16:51:02.059Z"
    ],
    "kibana.alert.rule.risk_score_mapping.field": [
      "event.risk_score"
    ],
    "process.pid": [
      24680
    ],
    "signal.rule.created_by": [
      "elastic"
    ],
    "signal.rule.interval": [
      "5m"
    ],
    "kibana.alert.rule.created_by": [
      "elastic"
    ],
    "kibana.alert.rule.timestamp_override": [
      "event.ingested"
    ],
    "process.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "process.parent.entity_id": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw"
    ],
    "kibana.alert.rule.name": [
      "Malware Prevention Alert"
    ],
    "process.parent.Ext.code_signature.status": [
      "trusted"
    ],
    "host.name": [
      "sanitized"
    ],
    "event.kind": [
      "signal"
    ],
    "process.Ext.protection": [
      ""
    ],
    "process.code_signature.trusted": [
      true
    ],
    "signal.rule.created_at": [
      "2023-03-25T09:13:25.949Z"
    ],
    "kibana.alert.workflow_status": [
      "open"
    ],
    "kibana.alert.original_event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "kibana.alert.reason": [
      "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert."
    ],
    "process.parent.args_count": [
      3
    ],
    "data_stream.type": [
      "logs"
    ],
    "process.Ext.token.user": [
      "sanitized"
    ],
    "signal.ancestors.id": [
      "Yk5Hv4sBCfe7LkV2qyLr"
    ],
    "signal.original_time": [
      "2023-11-11T16:47:02.700Z"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "signal.rule.severity": [
      "high"
    ],
    "file.Ext.malware_signature.primary.signature.id": [
      "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    ],
    "event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "file.extension": [
      "dll"
    ],
    "kibana.alert.depth": [
      1
    ],
    "process.parent.ppid": [
      8280
    ],
    "file.Ext.quarantine_path": [
      ""
    ],
    "process.parent.Ext.protection": [
      ""
    ],
    "file.pe.file_version": [
      "12.0.200.22306"
    ],
    "kibana.alert.rule.revision": [
      102
    ],
    "process.start": [
      "2023-11-11T16:46:51.445Z"
    ],
    "signal.rule.version": [
      "101"
    ],
    "file.pe.original_file_name": [
      ""
    ],
    "kibana.alert.status": [
      "active"
    ],
    "kibana.alert.last_detected": [
      "2023-11-11T16:51:02.405Z"
    ],
    "kibana.alert.rule.severity_mapping.field": [
      "event.severity",
      "event.severity",
      "event.severity",
      "event.severity"
    ],
    "kibana.alert.original_event.dataset": [
      "endpoint.alerts"
    ],
    "process.parent.code_signature.exists": [
      true
    ],
    "file.hash.sha1": [
      "b37ae7837aed007375f321d37866290aeb608870"
    ],
    "kibana.alert.rule.rule_type_id": [
      "siem.queryRule"
    ],
    "signal.rule.rule_id": [
      "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
    ],
    "process.executable": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe"
    ],
    "kibana.alert.original_event.severity": [
      73
    ],
    "process.parent.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "process.parent.executable": [
      "C:\\Program Files\\HCL\\Notes\\nlnotes.exe"
    ],
    "process.args_count": [
      3
    ],
    "kibana.alert.rule.updated_at": [
      "2023-09-30T08:13:05.346Z"
    ],
    "process.Ext.token.elevation": [
      true
    ],
    "data_stream.namespace": [
      "default"
    ],
    "kibana.alert.rule.author": [
      "Elastic"
    ],
    "file.size": [
      41242624
    ],
    "process.Ext.code_signature.exists": [
      true
    ],
    "process.parent.args": [
      "NLNOTES.EXE",
      "/authenticate",
      "=C:\\Program Files\\HCL\\Notes\\notes.ini"
    ],
    "signal.original_event.action": [
      "load"
    ],
    "kibana.alert.rule.created_at": [
      "2023-03-25T09:13:25.949Z"
    ],
    "signal.rule.to": [
      "now"
    ],
    "file.code_signature.exists": [
      false
    ],
    "event.type": [
      "info",
      "start",
      "denied"
    ],
    "process.command_line": [
      "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\""
    ],
    "kibana.alert.rule.exceptions_list.id": [
      "endpoint_list",
      "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c"
    ],
    "event.dataset": [
      "endpoint.alerts"
    ],
    "kibana.alert.original_time": [
      "2023-11-11T16:47:02.700Z"
    ]
  }
}

ferullo · January 10, 2024, 12:28pm

Yeah that works. Thanks.

That alert shows the Multi.EICAR.Not-a-virus signature is matching. That signature detects EICAR (https://www.eicar.org/download-anti-malware-testfile/), a standard testing file used by Antimalware software (like Endpoint) to enable developers and users to verify that malware detection works without requiring any actually malicious software. It seems that HCL Notes has a copy of EICAR in its executable which is why you're getting alerts. Creating an alert exception for this signature matching on Notes is a good solution to your problem.

GKre · January 11, 2024, 3:41pm

thank you @ferullo,

i saw this info but could not believe that a company is including an EICAR into a component of it's product. Also - why does Microsoft Defender does not recognize this?
Well - i will now open up a ticket with HCL to get to know what they say about the issue.
Have a good time ...

system · February 8, 2024, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Recover file from quarantine Elastic Security	10	583	December 19, 2023
Elastic Endpoint Crashes and digital signature error Elastic Security elastic-stack-security	3	757	February 22, 2023
Elastic Endpoint 8.1 - File locking issues Elastic Security	20	2039	April 29, 2022
Problem with Endpoint Security Initiation Endpoint Security	8	1105	November 24, 2022
Endpoint Security 8.4.0/7.17.7 and Endgame 3.62.3 Security Update Security Announcements	0	10580	January 23, 2023

Getting crazy with nnotes.dll

Related Topics