Getting crazy with nnotes.dll

GKre · December 18, 2023, 9:24am

Yes - i am using HCL Notes / Domino in release 12 and 14 (the newest one).
Elastic Endpoint Security is driving me crazy as it is putting the file "nnotes.dll" into quartantain.
I tested rule exception and endpoint exception on "file.path : " C:\Program Files\HCL\Notes\nnotes.dll".
still the file is quarantained only to be restored.

{
  "@timestamp": [
    "2023-12-18T09:16:00.334Z"
  ],
  "agent.ephemeral_id": [
    "dfaee510-790a-434b-bcd7-384aae7b13a5"
  ],
  "agent.id": [
    "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b"
  ],
  "agent.name": [
    "Z440"
  ],
  "agent.type": [
    "endpoint"
  ],
  "agent.version": [
    "8.11.3"
  ],
  "component.binary": [
    "endpoint-security"
  ],
  "component.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "component.id": [
    "endpoint-default"
  ],
  "component.type": [
    "endpoint"
  ],
  "data_stream.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "data_stream.namespace": [
    "default"
  ],
  "data_stream.type": [
    "logs"
  ],
  "ecs.version": [
    "1.11.0"
  ],
  "elastic_agent.id": [
    "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b"
  ],
  "elastic_agent.snapshot": [
    false
  ],
  "elastic_agent.version": [
    "8.11.3"
  ],
  "event.agent_id_status": [
    "verified"
  ],
  "event.dataset": [
    "elastic_agent.endpoint_security"
  ],
  "event.ingested": [
    "2023-12-18T09:16:05.000Z"
  ],
  "host.architecture": [
    "x86_64"
  ],
  "host.hostname": [
    "z440"
  ],
  "host.id": [
    "826188d2-e4f6-4025-9514-686022babc2d"
  ],
  "host.ip": [
    "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
    "fd77:ade4:e825:0:f890:4ace:8aaf:1582",
    "fd77:ade4:e825:0:2de3:7594:7184:bb8f",
    "fe80::64bd:5247:7486:1fa",
    "192.168.0.89",
    "fe80::e703:f3ea:355f:a986",
    "169.254.172.144",
    "fe80::d43a:b795:900c:c9b2",
    "172.18.128.1",
    "fe80::bd65:c48f:a1ab:2ddb",
    "172.19.64.1",
    "fe80::ae07:d7b0:d8cd:de03",
    "172.28.192.1"
  ],
  "host.mac": [
    "00-15-5D-8A-D2-90",
    "00-15-5D-A5-4B-30",
    "00-15-5D-AD-E5-7C",
    "3C-52-82-77-12-96",
    "F4-4E-FC-A3-13-89"
  ],
  "host.name": [
    "z440"
  ],
  "host.os.build": [
    "22631.2861"
  ],
  "host.os.family": [
    "windows"
  ],
  "host.os.kernel": [
    "10.0.22621.2861 (WinBuild.160101.0800)"
  ],
  "host.os.name": [
    "Windows 11 Enterprise"
  ],
  "host.os.name.text": [
    "Windows 11 Enterprise"
  ],
  "host.os.platform": [
    "windows"
  ],
  "host.os.type": [
    "windows"
  ],
  "host.os.version": [
    "10.0"
  ],
  "input.type": [
    "filestream"
  ],
  "log.file.idxhi": [
    "3670016"
  ],
  "log.file.idxlo": [
    "418685"
  ],
  "log.file.path": [
    "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
  ],
  "log.file.vol": [
    "339111792"
  ],
  "log.level": [
    "info"
  ],
  "log.offset": [
    25663259
  ],
  "log.origin.file.line": [
    895
  ],
  "log.origin.file.name": [
    "PlatformQuarantineManager.cpp"
  ],
  "log.source": [
    "endpoint-default"
  ],
  "message": [
    "PlatformQuarantineManager.cpp:895 Successfully quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll"
  ],
  "process.pid": [
    7020
  ],
  "process.thread.id": [
    8540
  ],
  "_id": "yKQ2fIwBaCcbaQM-C455",
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_score": null
}

What is going wron here and wy is endpoint security so "fixed" on this file?

ferullo · January 2, 2024, 2:22pm

Hi @GKre ,

still the file is quarantained only to be restored

Can you explain that more? Are you saying you keep getting alerts for the file that indicate the file was quarantined but then the file is automatically restored? I'm not sure how that could happen.

The document you shared is from a log message. Are you still seeing alert documents (look in logs-endpoint.alerts-* for event.kind: alert), or just those log lines? Are you sure the host that is alerting on that file has the exceptions applied and that the alert document has file.path: C:\Program Files\HCL\Notes\nnotes.dll? Make sure the case insensitive path matches exactly what you put in for the exception (i.e. don't use "double paths" like \\).

GKre · January 2, 2024, 2:52pm

Hello and a happy new year, @ferullo,

I could solve the problem with the exception - this is not the main question.

What i wonder about is - there's thousand of DLL's in a windos system.

Can i find out "why" this file had been classified as dangerous?

At the end i can make an exception but i still have a bad feeling as i am not sure about the potential "risk" with this file.

ferullo · January 2, 2024, 4:08pm

Ah, ok. I didn't realize that was your concern.

Without seeing the alert I can't be sure why its being flagged. If it is being caught by a malware signature you should see a the field file.Ext.malware_signature which will contain some details describing what signature matched it.

If it didn't match a signature it may still have been caught by the malware machine learning model, which will contain details in the field file.Ext.malware_classification. If there is a matching malware signature, the score reported in malware_classification field may be explicitly reported as 1.0 despite what the model calculated (depending on your Endpoint version). If there isn't a matching signature, or the score isn't 1.0, then a higher score means the file has more correlation with other known malware but there isn't more information for you to dig into.

I know it might be a little hard to parse what I wrote above. If you'd like, go ahead share a sanitized alert here and I can see what information can be gleaned from it.

You seem confident this is a false positive. Please report the false positive using these instructions or if you have Elastic support via that channel.

I hope that helps.

GKre · January 3, 2024, 2:56am

thx again @ferullo,

the problem is - i can not find any score. There's an alert and an diagnostic alert:

{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "waQ2fIwBaCcbaQM-C455",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 7020,
      "thread": {
        "id": 9848
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "ephemeral_id": "sanitized",
      "type": "endpoint",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log",
        "vol": "339111792",
        "idxlo": "418685",
        "idxhi": "3670016"
      },
      "offset": 25660891,
      "level": "info",
      "origin": {
        "file": {
          "line": 1269,
          "name": "FileScore.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "FileScore.cpp:1269 Sending alert for [C:\\Program Files\\HCL\\Notes\\nnotes.dll]",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2023-12-18T09:15:57.119Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": ["sanitized"
      ],
      "name": "z440",
      "id": "sanitized",
      "mac": ["sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-12-18T09:16:05Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      7020
    ],
    "host.mac": ["sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": ["sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1269
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "3670016"
    ],
    "log.file.idxlo": [
      "418685"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      25660891
    ],
    "message": [
      "FileScore.cpp:1269 Sending alert for [C:\\Program Files\\HCL\\Notes\\nnotes.dll]"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2023-12-18T09:16:05.000Z"
    ],
    "@timestamp": [
      "2023-12-18T09:15:57.119Z"
    ],
    "log.origin.file.name": [
      "FileScore.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      9848
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}


{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "9KILfIwBaCcbaQM-f4dc",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 7020,
      "thread": {
        "id": 9844
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "type": "endpoint",
      "ephemeral_id": "sanitized",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log",
        "vol": "339111792",
        "idxlo": "418685",
        "idxhi": "3670016"
      },
      "offset": 25269184,
      "level": "info",
      "origin": {
        "file": {
          "line": 1258,
          "name": "FileScore.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "FileScore.cpp:1258 Sending diagnostic alert for [C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL]",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2023-12-18T08:29:33.103Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "sanitized"
      ],
      "name": "z440",
      "id": "826188d2-e4f6-4025-9514-686022babc2d",
      "mac": [
        "sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-12-18T08:29:37Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      7020
    ],
    "host.mac": [
      "sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": [
      "sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1258
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "3670016"
    ],
    "log.file.idxlo": [
      "418685"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      25269184
    ],
    "message": [
      "FileScore.cpp:1258 Sending diagnostic alert for [C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL]"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2023-12-18T08:29:37.000Z"
    ],
    "@timestamp": [
      "2023-12-18T08:29:33.103Z"
    ],
    "log.origin.file.name": [
      "FileScore.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000070.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      9844
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}

Also funny - now the exception is creating a daily info as the file can not be restored from quarantain:

{
  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2023.12.13-000016",
  "_id": "MU54yYwBaCcbaQM-Z5Po",
  "_version": 1,
  "_score": 0,
  "_source": {
    "process": {
      "pid": 6684,
      "thread": {
        "id": 7328
      }
    },
    "agent": {
      "name": "Z440",
      "id": "sanitized",
      "ephemeral_id": "sanitized",
      "type": "endpoint",
      "version": "8.11.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000071.log",
        "vol": "339111792",
        "idxlo": "69488",
        "idxhi": "8650752"
      },
      "offset": 19272087,
      "level": "info",
      "origin": {
        "file": {
          "line": 1007,
          "name": "PlatformQuarantineManager.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "sanitized",
      "version": "8.11.3",
      "snapshot": false
    },
    "message": "PlatformQuarantineManager.cpp:1007 Attempting to restore quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2024-01-02T09:19:18.086Z",
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "z440",
      "os": {
        "build": "22631.2861",
        "kernel": "10.0.22621.2861 (WinBuild.160101.0800)",
        "name": "Windows 11 Enterprise",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "sanitized"
      ],
      "name": "z440",
      "id": "sanitized",
      "mac": [
        "sanitized"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-01-02T09:19:20Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  },
  "fields": {
    "log.file.vol": [
      "339111792"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "component.binary": [
      "endpoint-security"
    ],
    "host.os.name.text": [
      "Windows 11 Enterprise"
    ],
    "host.hostname": [
      "z440"
    ],
    "process.pid": [
      6684
    ],
    "host.mac": [
      "sanitized"
    ],
    "host.os.build": [
      "22631.2861"
    ],
    "host.ip": [
      "sanitized"
    ],
    "agent.type": [
      "endpoint"
    ],
    "component.id": [
      "endpoint-default"
    ],
    "host.os.version": [
      "10.0"
    ],
    "host.os.kernel": [
      "10.0.22621.2861 (WinBuild.160101.0800)"
    ],
    "component.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "host.os.name": [
      "Windows 11 Enterprise"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "Z440"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "z440"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "host.id": [
      "sanitized"
    ],
    "log.origin.file.line": [
      1007
    ],
    "host.os.type": [
      "windows"
    ],
    "elastic_agent.id": [
      "sanitized"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "log.file.idxhi": [
      "8650752"
    ],
    "log.file.idxlo": [
      "69488"
    ],
    "log.source": [
      "endpoint-default"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      19272087
    ],
    "message": [
      "PlatformQuarantineManager.cpp:1007 Attempting to restore quarantined file: C:\\Program Files\\HCL\\Notes\\nnotes.dll"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "component.type": [
      "endpoint"
    ],
    "event.ingested": [
      "2024-01-02T09:19:20.000Z"
    ],
    "@timestamp": [
      "2024-01-02T09:19:18.086Z"
    ],
    "log.origin.file.name": [
      "PlatformQuarantineManager.cpp"
    ],
    "agent.id": [
      "sanitized"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "elastic_agent.endpoint_security"
    ],
    "log.file.path": [
      "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000071.log"
    ],
    "agent.ephemeral_id": [
      "sanitized"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      7328
    ],
    "event.dataset": [
      "elastic_agent.endpoint_security"
    ]
  }
}

ferullo · January 3, 2024, 3:46pm

Those are Endpoint log messages that were ingested into Elasticsearch, not the actual alert documents.

You can find the alerts in the logs-endpoint.alerts-* index pattern. They do get copied to another index to enable some SIEM features, but the original alert documents Endpoint generates are in the index I mentioned. Those will have the one or both of the fields I described.

GKre · January 4, 2024, 5:12pm

Well - i this what you are looking for?

{
  "_index": ".internal.alerts-security.alerts-default-000007",
  "_id": "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863",
  "_version": 1,
  "_score": 0,
  "_source": {
    "kibana.alert.start": "2023-11-11T16:51:02.405Z",
    "kibana.alert.last_detected": "2023-11-11T16:51:02.405Z",
    "kibana.version": "8.10.4",
    "kibana.alert.rule.parameters": {
      "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
      "risk_score": 47,
      "severity": "medium",
      "license": "Elastic License v2",
      "rule_name_override": "message",
      "timestamp_override": "event.ingested",
      "author": [
        "Elastic"
      ],
      "false_positives": [],
      "from": "now-10m",
      "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
      "max_signals": 10000,
      "risk_score_mapping": [
        {
          "field": "event.risk_score",
          "operator": "equals",
          "value": ""
        }
      ],
      "severity_mapping": [
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "low",
          "value": "21"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "medium",
          "value": "47"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "high",
          "value": "73"
        },
        {
          "field": "event.severity",
          "operator": "equals",
          "severity": "critical",
          "value": "99"
        }
      ],
      "threat": [],
      "to": "now",
      "references": [],
      "version": 101,
      "exceptions_list": [
        {
          "id": "endpoint_list",
          "list_id": "endpoint_list",
          "namespace_type": "agnostic",
          "type": "endpoint"
        },
        {
          "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
          "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
          "type": "rule_default",
          "namespace_type": "single"
        }
      ],
      "immutable": true,
      "related_integrations": [
        {
          "package": "endpoint",
          "version": "^8.2.0"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "event.kind",
          "type": "keyword"
        },
        {
          "ecs": true,
          "name": "event.module",
          "type": "keyword"
        }
      ],
      "setup": "",
      "type": "query",
      "language": "kuery",
      "index": [
        "logs-endpoint.alerts-*"
      ],
      "query": "event.kind:alert and event.module:(endpoint and not endgame)\n"
    },
    "kibana.alert.rule.category": "Custom Query Rule",
    "kibana.alert.rule.consumer": "siem",
    "kibana.alert.rule.execution.uuid": "27c57c10-680d-4839-b24c-c572b42273f8",
    "kibana.alert.rule.name": "Malware Prevention Alert",
    "kibana.alert.rule.producer": "siem",
    "kibana.alert.rule.revision": 102,
    "kibana.alert.rule.rule_type_id": "siem.queryRule",
    "kibana.alert.rule.uuid": "4b974c60-caed-11ed-9d31-81c7b0c1937c",
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "@timestamp": "2023-11-11T16:51:02.059Z",
    "agent": {
      "build": {
        "original": "version: 8.10.4, compiled: Wed Oct 11 19:00:00 2023, branch: HEAD, commit: 8442397386468c4ab954a0a34406e209336efa7b"
      },
      "id": "1cdef3fc-1562-4880-a0e7-d7f50fee0d6b",
      "type": "endpoint",
      "version": "8.10.4"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTgyODAtMTY5OTY5MjExMC41NTk5ODk0MDA=",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNTI4LTE2OTk2OTEyMzIuNDk3NDc2NDAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNDI4LTE2OTk2OTEyMzIuMzgwMDAyNzAw",
          "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTE2NjAtMTY5OTY5MTIwNy45NTI4MTQ4MDA="
        ],
        "code_signature": [
          {
            "trusted": true,
            "subject_name": "HCL America Inc.",
            "exists": true,
            "status": "trusted"
          }
        ],
        "protection": "",
        "user": "sanitized",
        "architecture": "x86_64",
        "token": {
          "elevation": true,
          "integrity_level_name": "high",
          "domain": "sanitized",
          "user": "sanitized",
          "elevation_type": "full",
          "sid": "sanitized"
        }
      },
      "parent": {
        "Ext": {
          "code_signature": [
            {
              "trusted": true,
              "subject_name": "HCL America Inc.",
              "exists": true,
              "status": "trusted"
            }
          ],
          "protection": "",
          "user": "sanitized",
          "architecture": "x86_64"
        },
        "start": "2023-11-11T08:41:50.6898284Z",
        "pid": 20724,
        "entity_id": "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
        "executable": "C:\\Program Files\\HCL\\Notes\\nlnotes.exe",
        "ppid": 8280,
        "uptime": 29112,
        "args": [
          "NLNOTES.EXE",
          "/authenticate",
          "=C:\\Program Files\\HCL\\Notes\\notes.ini"
        ],
        "code_signature": {
          "trusted": true,
          "subject_name": "HCL America Inc.",
          "exists": true,
          "status": "trusted"
        },
        "name": "nlnotes.exe",
        "args_count": 3,
        "command_line": "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\"",
        "hash": {
          "sha1": "18744a2becf9a09c7fe144b85c4ea3713c531b6f",
          "sha256": "f081c841225bf644c340653550b6b01c9f3e38db4dd1837293341730388b2b37",
          "md5": "c1d5757a457b7c9f53855d19242a43c5"
        }
      },
      "start": "2023-11-11T16:46:51.4452124Z",
      "pid": 24680,
      "entity_id": "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTI0NjgwLTE2OTk3MjEyMTEuNDQ1MjEyNDAw",
      "executable": "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe",
      "uptime": 11,
      "args": [
        "C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE",
        "16",
        ""
      ],
      "code_signature": {
        "trusted": true,
        "subject_name": "HCL America Inc.",
        "exists": true,
        "status": "trusted"
      },
      "pe": {},
      "name": "ndyncfg.exe",
      "args_count": 3,
      "command_line": "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\"",
      "hash": {
        "sha1": "b595c7ef71a79423dfa12d8a012fae4e0d867554",
        "sha256": "69e18d622d1c1234b1beeec02f621206ff398c7055cc85b068264d9e0f6c3e9b",
        "md5": "78eb8ad61288617799a2f9f20d71c70c"
      }
    },
    "rule": {
      "name": "Multi.EICAR.Not-a-virus",
      "ruleset": "production",
      "id": "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    },
    "message": "Malware Prevention Alert",
    "file": {
      "Ext": {
        "temp_file_path": "",
        "malware_signature": {
          "secondary": [],
          "identifier": "production-malware-signature-v1-windows",
          "all_names": "Multi.EICAR.Not-a-virus",
          "version": "1.0.34",
          "primary": {
            "signature": {
              "name": "Multi.EICAR.Not-a-virus",
              "id": "ac8f42d6-52da-46ec-8db1-5a5f69222a38",
              "hash": {
                "sha256": "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd"
              }
            },
            "matches": [
              "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
            ]
          }
        },
        "code_signature": [
          {
            "exists": false
          }
        ],
        "quarantine_path": "",
        "quarantine_message": "Failure to open file",
        "quarantine_result": false,
        "malware_classification": {
          "identifier": "endpointpe-v4-model",
          "score": 1,
          "threshold": 0.58,
          "version": "4.0.37000"
        }
      },
      "owner": "SYSTEM",
      "extension": "dll",
      "drive_letter": "C",
      "created": "2022-11-03T00:35:28.0Z",
      "accessed": "2023-11-11T12:44:46.5606137Z",
      "mtime": "2022-11-03T00:35:28.0Z",
      "directory": "C:\\PROGRAM FILES\\HCL\\NOTES",
      "path": "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL",
      "code_signature": {
        "exists": false
      },
      "size": 41242624,
      "pe": {
        "file_version": "12.0.200.22306",
        "product": "HCL Notes/Domino",
        "description": "HCL Notes/Domino",
        "company": "HCL Technologies Ltd",
        "original_file_name": ""
      },
      "name": "NNOTES.DLL",
      "hash": {
        "sha1": "b37ae7837aed007375f321d37866290aeb608870",
        "sha256": "2aff03ee51a3d81ae0f29a82717cfe5ee54deafb894768b42ccd8161c15ff7b2",
        "md5": "8013828ca8e799891da02585b1962fca"
      }
    },
    "Endpoint": {
      "policy": {
        "applied": {
          "artifacts": {
            "global": {
              "identifiers": [
                {
                  "sha256": "2be4541e338528477b119c2ec50e7abdb638b093591e95c17e1db4132621b39e",
                  "name": "diagnostic-configuration-v1"
                },
                {
                  "sha256": "17d8695f22d3817c426a0e08a477b88ecdb6088bc253dfbccc760224600afcfd",
                  "name": "diagnostic-endpointpe-v4-blocklist"
                },
                {
                  "sha256": "e899eb51199bd145c2f9af25429aebee73790fe33d2f6ceada8d2659554887ba",
                  "name": "diagnostic-endpointpe-v4-exceptionlist"
                },
                {
                  "sha256": "c01842ec8a5f29b3780162b8251da3caa913b1c493877a4ce9a77bce9464ce21",
                  "name": "diagnostic-endpointpe-v4-model"
                },
                {
                  "sha256": "563a9106d2d895302935f8a6545961062c083214a3e5b66aadad1b0145bdba64",
                  "name": "diagnostic-malware-signature-v1-windows"
                },
                {
                  "sha256": "cb611e8d2bdb3a9e87e34fc395f3e5b420ed41c1bd6624cb400e1869dd965f75",
                  "name": "diagnostic-ransomware-v1-windows"
                },
                {
                  "sha256": "7129b458a4d87d63588605f577145fbf808a8f936e49fecfa2c057d16f0c9f60",
                  "name": "diagnostic-rules-windows-v1"
                },
                {
                  "sha256": "f864be0d57a9b43915bc20521c9168cad6984aeca5e3b08a755ea1b9559384d7",
                  "name": "endpointpe-v4-blocklist"
                },
                {
                  "sha256": "0ada9ce7d8dc8aad66dd1fd2ccd828b21b785e01ae8b0723ca099c46c78b18b1",
                  "name": "endpointpe-v4-exceptionlist"
                },
                {
                  "sha256": "1faaa8f819d6b224fd9ffd48fc8fdf0891fb8ec720e9f108439dc616db53dd10",
                  "name": "endpointpe-v4-model"
                },
                {
                  "sha256": "aeb5953de77e2d83388e69705e7f5c7c0cc752a8b9efd075de713bc45d74c911",
                  "name": "global-configuration-v1"
                },
                {
                  "sha256": "6815da3fe249428c5bc6f78eae18878affb173619d45ea1dbb540a0625b32121",
                  "name": "global-eventfilterlist-windows-v1"
                },
                {
                  "sha256": "e42945d9b870c93a827dd6157765d96620943d494b98ea8935a6f66473d270ac",
                  "name": "global-exceptionlist-windows"
                },
                {
                  "sha256": "bb457a407544d2e8156be689eb460e0de93b1d3d1d9f1e431ecf41065a58286f",
                  "name": "global-trustlist-windows-v1"
                },
                {
                  "sha256": "08418b42390837b9aeec5099df4ab63394a7d32118a30922ff57c75c71a55d63",
                  "name": "production-malware-signature-v1-windows"
                },
                {
                  "sha256": "b35d822a94e6e9129c9c736474bac0e95ebde2b11bc33d0c6e0311cd33152218",
                  "name": "production-ransomware-v1-windows"
                },
                {
                  "sha256": "be788888a04e9fe92590d86cfc9b4dd4ca4da29ea75a6259b537edb1136e861b",
                  "name": "production-rules-windows-v1"
                }
              ],
              "version": "1.0.800"
            },
            "user": {
              "identifiers": [
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-blocklist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-eventfilterlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-exceptionlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-hostisolationexceptionlist-windows-v1"
                },
                {
                  "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "name": "endpoint-trustlist-windows-v1"
                }
              ],
              "version": "1.0.2"
            }
          }
        }
      }
    },
    "ecs": {
      "version": "1.11.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.alerts"
    },
    "elastic": {
      "agent": {
        "id": "sanitized"
      }
    },
    "host": {
      "hostname": "sanitized",
      "os": {
        "Ext": {
          "variant": "Windows 11 Enterprise"
        },
        "kernel": "23H2 (10.0.22631.2506)",
        "name": "Windows",
        "family": "windows",
        "type": "windows",
        "version": "23H2 (10.0.22631.2506)",
        "platform": "windows",
        "full": "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
      },
      "ip": [
        "192.168.0.89",
        "fd77:ade4:e825:0:62c6:f4f2:e781:6be2",
        "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
        "fd77:ade4:e825:0:e167:ccfd:c963:4d61",
        "fe80::64bd:5247:7486:1fa",
        "169.254.172.144",
        "fe80::e703:f3ea:355f:a986",
        "127.0.0.1",
        "::1",
        "172.26.160.1",
        "fe80::926e:7ead:d658:2068",
        "172.17.160.1",
        "fe80::49a3:5cb3:c5b0:e9",
        "172.29.16.1",
        "fe80::5890:a2d9:115f:fd4"
      ],
      "name": "sanitized",
      "id": "826188d2-e4f6-4025-9514-686022babc2d",
      "mac": [
        "3c-52-82-77-12-96",
        "f4-4e-fc-a3-13-89",
        "00-15-5d-a5-4b-30",
        "00-15-5d-83-f0-31",
        "00-15-5d-cd-f9-f4"
      ],
      "architecture": "x86_64"
    },
    "user": {
      "domain": "sanitized",
      "name": "sanitized"
    },
    "event.severity": 73,
    "event.code": "malicious_file",
    "event.risk_score": 73,
    "event.created": "2023-11-11T16:47:02.7003923Z",
    "event.kind": "signal",
    "event.module": "endpoint",
    "event.type": [
      "info",
      "start",
      "denied"
    ],
    "event.agent_id_status": "verified",
    "event.sequence": 299077,
    "event.ingested": "2023-11-11T16:47:07Z",
    "event.action": "load",
    "event.id": "NIwuns2CFY7KnSHf++++2gul",
    "event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "event.dataset": "endpoint.alerts",
    "event.outcome": "success",
    "kibana.alert.original_time": "2023-11-11T16:47:02.700Z",
    "kibana.alert.ancestors": [
      {
        "id": "Yk5Hv4sBCfe7LkV2qyLr",
        "type": "event",
        "index": ".ds-logs-endpoint.alerts-default-2023.11.10-000007",
        "depth": 0
      }
    ],
    "kibana.alert.status": "active",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.depth": 1,
    "kibana.alert.reason": "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert.",
    "kibana.alert.severity": "high",
    "kibana.alert.risk_score": 73,
    "kibana.alert.rule.actions": [],
    "kibana.alert.rule.author": [
      "Elastic"
    ],
    "kibana.alert.rule.created_at": "2023-03-25T09:13:25.949Z",
    "kibana.alert.rule.created_by": "elastic",
    "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
    "kibana.alert.rule.enabled": true,
    "kibana.alert.rule.exceptions_list": [
      {
        "id": "endpoint_list",
        "list_id": "endpoint_list",
        "namespace_type": "agnostic",
        "type": "endpoint"
      },
      {
        "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
        "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
        "type": "rule_default",
        "namespace_type": "single"
      }
    ],
    "kibana.alert.rule.false_positives": [],
    "kibana.alert.rule.from": "now-10m",
    "kibana.alert.rule.immutable": true,
    "kibana.alert.rule.interval": "5m",
    "kibana.alert.rule.indices": [
      "logs-endpoint.alerts-*"
    ],
    "kibana.alert.rule.license": "Elastic License v2",
    "kibana.alert.rule.max_signals": 10000,
    "kibana.alert.rule.references": [],
    "kibana.alert.rule.risk_score_mapping": [
      {
        "field": "event.risk_score",
        "operator": "equals",
        "value": ""
      }
    ],
    "kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
    "kibana.alert.rule.rule_name_override": "message",
    "kibana.alert.rule.severity_mapping": [
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "low",
        "value": "21"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "medium",
        "value": "47"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "high",
        "value": "73"
      },
      {
        "field": "event.severity",
        "operator": "equals",
        "severity": "critical",
        "value": "99"
      }
    ],
    "kibana.alert.rule.threat": [],
    "kibana.alert.rule.timestamp_override": "event.ingested",
    "kibana.alert.rule.to": "now",
    "kibana.alert.rule.type": "query",
    "kibana.alert.rule.updated_at": "2023-09-30T08:13:05.346Z",
    "kibana.alert.rule.updated_by": "elastic",
    "kibana.alert.rule.version": 101,
    "kibana.alert.url": "https://kali-purple.sanitized.local:5601/app/security/alerts/redirect/0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863?index=.alerts-security.alerts-default&timestamp=2023-11-11T16:51:02.059Z",
    "kibana.alert.uuid": "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863",
    "kibana.alert.workflow_tags": [],
    "kibana.alert.rule.risk_score": 47,
    "kibana.alert.rule.severity": "medium",
    "kibana.alert.original_event.severity": 73,
    "kibana.alert.original_event.code": "malicious_file",
    "kibana.alert.original_event.risk_score": 73,
    "kibana.alert.original_event.created": "2023-11-11T16:47:02.7003923Z",
    "kibana.alert.original_event.kind": "alert",
    "kibana.alert.original_event.module": "endpoint",
    "kibana.alert.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "kibana.alert.original_event.agent_id_status": "verified",
    "kibana.alert.original_event.sequence": 299077,
    "kibana.alert.original_event.ingested": "2023-11-11T16:47:07Z",
    "kibana.alert.original_event.action": "load",
    "kibana.alert.original_event.id": "NIwuns2CFY7KnSHf++++2gul",
    "kibana.alert.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "kibana.alert.original_event.dataset": "endpoint.alerts",
    "kibana.alert.original_event.outcome": "success"
  },
  "fields": {
    "process.hash.md5": [
      "78eb8ad61288617799a2f9f20d71c70c"
    ],
    "host.os.full.text": [
      "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
    ],
    "kibana.alert.rule.updated_by": [
      "elastic"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "kibana.alert.rule.rule_name_override": [
      "message"
    ],
    "process.hash.sha256": [
      "69e18d622d1c1234b1beeec02f621206ff398c7055cc85b068264d9e0f6c3e9b"
    ],
    "host.hostname": [
      "sanitized"
    ],
    "signal.original_event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "host.mac": [
      "3c-52-82-77-12-96",
      "f4-4e-fc-a3-13-89",
      "00-15-5d-a5-4b-30",
      "00-15-5d-83-f0-31",
      "00-15-5d-cd-f9-f4"
    ],
    "elastic.agent.id": [
      "sanitized"
    ],
    "signal.rule.enabled": [
      "true"
    ],
    "file.Ext.malware_classification.version": [
      "4.0.37000"
    ],
    "host.os.version": [
      "23H2 (10.0.22631.2506)"
    ],
    "signal.rule.max_signals": [
      10000
    ],
    "file.mtime": [
      "2022-11-03T00:35:28.000Z"
    ],
    "kibana.alert.risk_score": [
      73
    ],
    "signal.rule.updated_at": [
      "2023-09-30T08:13:05.346Z"
    ],
    "kibana.alert.original_event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "event.severity": [
      73
    ],
    "file.pe.company": [
      "HCL Technologies Ltd"
    ],
    "file.path.text": [
      "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL"
    ],
    "file.created": [
      "2022-11-03T00:35:28.000Z"
    ],
    "host.os.type": [
      "windows"
    ],
    "process.Ext.architecture": [
      "x86_64"
    ],
    "signal.original_event.code": [
      "malicious_file"
    ],
    "kibana.alert.original_event.module": [
      "endpoint"
    ],
    "kibana.alert.rule.interval": [
      "5m"
    ],
    "kibana.alert.rule.type": [
      "query"
    ],
    "kibana.alert.rule.immutable": [
      "true"
    ],
    "kibana.alert.rule.exceptions_list.list_id": [
      "endpoint_list",
      "a9df891a-c035-4822-8d74-1f79fed9b041"
    ],
    "file.owner": [
      "SYSTEM"
    ],
    "kibana.alert.rule.version": [
      "101"
    ],
    "file.Ext.malware_classification.threshold": [
      0.58
    ],
    "process.command_line.text": [
      "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\""
    ],
    "file.Ext.malware_signature.primary.matches": [
      "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
    ],
    "file.hash.md5": [
      "8013828ca8e799891da02585b1962fca"
    ],
    "signal.original_event.outcome": [
      "success"
    ],
    "file.Ext.malware_classification.identifier": [
      "endpointpe-v4-model"
    ],
    "process.entity_id": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTI0NjgwLTE2OTk3MjEyMTEuNDQ1MjEyNDAw"
    ],
    "process.parent.code_signature.status": [
      "trusted"
    ],
    "host.ip": [
      "192.168.0.89",
      "fd77:ade4:e825:0:62c6:f4f2:e781:6be2",
      "fd77:ade4:e825:0:bbdf:7d76:2a98:387e",
      "fd77:ade4:e825:0:e167:ccfd:c963:4d61",
      "fe80::64bd:5247:7486:1fa",
      "169.254.172.144",
      "fe80::e703:f3ea:355f:a986",
      "127.0.0.1",
      "::1",
      "172.26.160.1",
      "fe80::926e:7ead:d658:2068",
      "172.17.160.1",
      "fe80::49a3:5cb3:c5b0:e9",
      "172.29.16.1",
      "fe80::5890:a2d9:115f:fd4"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe"
    ],
    "signal.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "file.pe.product": [
      "HCL Notes/Domino"
    ],
    "host.id": [
      "826188d2-e4f6-4025-9514-686022babc2d"
    ],
    "process.parent.hash.sha256": [
      "f081c841225bf644c340653550b6b01c9f3e38db4dd1837293341730388b2b37"
    ],
    "process.Ext.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "file.Ext.malware_signature.all_names": [
      "Multi.EICAR.Not-a-virus"
    ],
    "kibana.alert.rule.indices": [
      "logs-endpoint.alerts-*"
    ],
    "host.os.Ext.variant": [
      "Windows 11 Enterprise"
    ],
    "signal.rule.updated_by": [
      "elastic"
    ],
    "host.os.platform": [
      "windows"
    ],
    "kibana.alert.rule.severity": [
      "medium"
    ],
    "Endpoint.policy.applied.artifacts.user.identifiers.sha256": [
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
      "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
    ],
    "file.Ext.malware_signature.identifier": [
      "production-malware-signature-v1-windows"
    ],
    "kibana.version": [
      "8.10.4"
    ],
    "event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "signal.ancestors.type": [
      "event"
    ],
    "user.name.text": [
      "sanitized"
    ],
    "kibana.alert.ancestors.id": [
      "Yk5Hv4sBCfe7LkV2qyLr"
    ],
    "process.name.text": [
      "ndyncfg.exe"
    ],
    "host.os.full": [
      "Windows 11 Enterprise 23H2 (10.0.22631.2506)"
    ],
    "process.parent.Ext.code_signature.trusted": [
      true
    ],
    "kibana.alert.original_event.code": [
      "malicious_file"
    ],
    "Endpoint.policy.applied.artifacts.global.identifiers.name": [
      "diagnostic-configuration-v1",
      "diagnostic-endpointpe-v4-blocklist",
      "diagnostic-endpointpe-v4-exceptionlist",
      "diagnostic-endpointpe-v4-model",
      "diagnostic-malware-signature-v1-windows",
      "diagnostic-ransomware-v1-windows",
      "diagnostic-rules-windows-v1",
      "endpointpe-v4-blocklist",
      "endpointpe-v4-exceptionlist",
      "endpointpe-v4-model",
      "global-configuration-v1",
      "global-eventfilterlist-windows-v1",
      "global-exceptionlist-windows",
      "global-trustlist-windows-v1",
      "production-malware-signature-v1-windows",
      "production-ransomware-v1-windows",
      "production-rules-windows-v1"
    ],
    "kibana.alert.rule.description": [
      "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts."
    ],
    "kibana.alert.rule.producer": [
      "siem"
    ],
    "kibana.alert.rule.to": [
      "now"
    ],
    "Endpoint.policy.applied.artifacts.user.version": [
      "1.0.2"
    ],
    "kibana.alert.original_event.ingested": [
      "2023-11-11T16:47:07.000Z"
    ],
    "signal.rule.id": [
      "4b974c60-caed-11ed-9d31-81c7b0c1937c"
    ],
    "rule.ruleset": [
      "production"
    ],
    "signal.reason": [
      "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert."
    ],
    "signal.rule.risk_score": [
      73
    ],
    "host.os.name": [
      "Windows"
    ],
    "process.parent.Ext.code_signature.exists": [
      true
    ],
    "signal.status": [
      "open"
    ],
    "kibana.alert.rule.severity_mapping.value": [
      "21",
      "47",
      "73",
      "99"
    ],
    "signal.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "file.Ext.code_signature.exists": [
      false
    ],
    "rule.name": [
      "Multi.EICAR.Not-a-virus"
    ],
    "kibana.alert.rule.uuid": [
      "4b974c60-caed-11ed-9d31-81c7b0c1937c"
    ],
    "kibana.alert.original_event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "signal.original_event.risk_score": [
      73
    ],
    "process.name": [
      "ndyncfg.exe"
    ],
    "process.parent.executable.text": [
      "C:\\Program Files\\HCL\\Notes\\nlnotes.exe"
    ],
    "kibana.alert.ancestors.index": [
      ".ds-logs-endpoint.alerts-default-2023.11.10-000007"
    ],
    "process.Ext.code_signature.trusted": [
      true
    ],
    "agent.version": [
      "8.10.4"
    ],
    "signal.original_event.severity": [
      73
    ],
    "kibana.alert.rule.risk_score_mapping.operator": [
      "equals"
    ],
    "host.os.family": [
      "windows"
    ],
    "kibana.alert.rule.from": [
      "now-10m"
    ],
    "kibana.alert.rule.parameters": [
      {
        "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
        "risk_score": 47,
        "severity": "medium",
        "license": "Elastic License v2",
        "rule_name_override": "message",
        "timestamp_override": "event.ingested",
        "author": [
          "Elastic"
        ],
        "false_positives": [],
        "from": "now-10m",
        "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
        "max_signals": 10000,
        "risk_score_mapping": [
          {
            "field": "event.risk_score",
            "operator": "equals",
            "value": ""
          }
        ],
        "severity_mapping": [
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "low",
            "value": "21"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "medium",
            "value": "47"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "high",
            "value": "73"
          },
          {
            "field": "event.severity",
            "operator": "equals",
            "severity": "critical",
            "value": "99"
          }
        ],
        "threat": [],
        "to": "now",
        "references": [],
        "version": 101,
        "exceptions_list": [
          {
            "id": "endpoint_list",
            "list_id": "endpoint_list",
            "namespace_type": "agnostic",
            "type": "endpoint"
          },
          {
            "id": "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c",
            "list_id": "a9df891a-c035-4822-8d74-1f79fed9b041",
            "type": "rule_default",
            "namespace_type": "single"
          }
        ],
        "immutable": true,
        "related_integrations": [
          {
            "package": "endpoint",
            "version": "^8.2.0"
          }
        ],
        "required_fields": [
          {
            "ecs": true,
            "name": "event.kind",
            "type": "keyword"
          },
          {
            "ecs": true,
            "name": "event.module",
            "type": "keyword"
          }
        ],
        "setup": "",
        "type": "query",
        "language": "kuery",
        "index": [
          "logs-endpoint.alerts-*"
        ],
        "query": "event.kind:alert and event.module:(endpoint and not endgame)\n"
      }
    ],
    "signal.original_event.kind": [
      "alert"
    ],
    "file.Ext.quarantine_result": [
      false
    ],
    "signal.depth": [
      1
    ],
    "signal.rule.immutable": [
      "true"
    ],
    "process.parent.name.text": [
      "nlnotes.exe"
    ],
    "event.sequence": [
      299077
    ],
    "signal.rule.name": [
      "Malware Prevention Alert"
    ],
    "file.Ext.malware_signature.version": [
      "1.0.34"
    ],
    "event.module": [
      "endpoint"
    ],
    "kibana.alert.rule.severity_mapping.operator": [
      "equals",
      "equals",
      "equals",
      "equals"
    ],
    "host.os.kernel": [
      "23H2 (10.0.22631.2506)"
    ],
    "process.parent.Ext.user": [
      "sanitized"
    ],
    "file.accessed": [
      "2023-11-11T12:44:46.560Z"
    ],
    "kibana.alert.rule.license": [
      "Elastic License v2"
    ],
    "kibana.alert.original_event.kind": [
      "alert"
    ],
    "process.parent.command_line.text": [
      "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\""
    ],
    "signal.rule.description": [
      "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts."
    ],
    "process.Ext.token.elevation_type": [
      "full"
    ],
    "process.args": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE",
      "16",
      ""
    ],
    "process.parent.uptime": [
      29112
    ],
    "file.Ext.malware_signature.primary.signature.hash.sha256": [
      "bb0e0bdf70ec65d98f652e2428e3567013d5413f2725a2905b372fd18da8b9dd"
    ],
    "message": [
      "Malware Prevention Alert"
    ],
    "process.parent.hash.sha1": [
      "18744a2becf9a09c7fe144b85c4ea3713c531b6f"
    ],
    "file.drive_letter": [
      "C"
    ],
    "kibana.alert.original_event.outcome": [
      "success"
    ],
    "kibana.alert.original_event.sequence": [
      299077
    ],
    "process.Ext.user": [
      "sanitized"
    ],
    "file.Ext.malware_classification.score": [
      1
    ],
    "kibana.alert.rule.exceptions_list.namespace_type": [
      "agnostic",
      "single"
    ],
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.severity": [
      "high"
    ],
    "rule.id": [
      "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    ],
    "file.Ext.quarantine_message": [
      "Failure to open file"
    ],
    "file.pe.description": [
      "HCL Notes/Domino"
    ],
    "signal.ancestors.depth": [
      0
    ],
    "event.category": [
      "malware",
      "intrusion_detection",
      "library"
    ],
    "Endpoint.policy.applied.artifacts.global.identifiers.sha256": [
      "2be4541e338528477b119c2ec50e7abdb638b093591e95c17e1db4132621b39e",
      "17d8695f22d3817c426a0e08a477b88ecdb6088bc253dfbccc760224600afcfd",
      "e899eb51199bd145c2f9af25429aebee73790fe33d2f6ceada8d2659554887ba",
      "c01842ec8a5f29b3780162b8251da3caa913b1c493877a4ce9a77bce9464ce21",
      "563a9106d2d895302935f8a6545961062c083214a3e5b66aadad1b0145bdba64",
      "cb611e8d2bdb3a9e87e34fc395f3e5b420ed41c1bd6624cb400e1869dd965f75",
      "7129b458a4d87d63588605f577145fbf808a8f936e49fecfa2c057d16f0c9f60",
      "f864be0d57a9b43915bc20521c9168cad6984aeca5e3b08a755ea1b9559384d7",
      "0ada9ce7d8dc8aad66dd1fd2ccd828b21b785e01ae8b0723ca099c46c78b18b1",
      "1faaa8f819d6b224fd9ffd48fc8fdf0891fb8ec720e9f108439dc616db53dd10",
      "aeb5953de77e2d83388e69705e7f5c7c0cc752a8b9efd075de713bc45d74c911",
      "6815da3fe249428c5bc6f78eae18878affb173619d45ea1dbb540a0625b32121",
      "e42945d9b870c93a827dd6157765d96620943d494b98ea8935a6f66473d270ac",
      "bb457a407544d2e8156be689eb460e0de93b1d3d1d9f1e431ecf41065a58286f",
      "08418b42390837b9aeec5099df4ab63394a7d32118a30922ff57c75c71a55d63",
      "b35d822a94e6e9129c9c736474bac0e95ebde2b11bc33d0c6e0311cd33152218",
      "be788888a04e9fe92590d86cfc9b4dd4ca4da29ea75a6259b537edb1136e861b"
    ],
    "process.parent.command_line": [
      "NLNOTES.EXE  /authenticate \"=C:\\Program Files\\HCL\\Notes\\notes.ini\""
    ],
    "process.parent.name": [
      "nlnotes.exe"
    ],
    "process.parent.pid": [
      20724
    ],
    "kibana.alert.original_event.risk_score": [
      73
    ],
    "kibana.alert.rule.tags": [
      "Elastic",
      "Endpoint Security"
    ],
    "process.code_signature.exists": [
      true
    ],
    "kibana.alert.ancestors.depth": [
      0
    ],
    "kibana.alert.rule.severity_mapping.severity": [
      "low",
      "medium",
      "high",
      "critical"
    ],
    "agent.build.original": [
      "version: 8.10.4, compiled: Wed Oct 11 19:00:00 2023, branch: HEAD, commit: 8442397386468c4ab954a0a34406e209336efa7b"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.outcome": [
      "success"
    ],
    "process.parent.Ext.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "kibana.alert.rule.risk_score_mapping.value": [
      ""
    ],
    "file.Ext.temp_file_path": [
      ""
    ],
    "process.Ext.ancestry": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTgyODAtMTY5OTY5MjExMC41NTk5ODk0MDA=",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNTI4LTE2OTk2OTEyMzIuNDk3NDc2NDAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTEyNDI4LTE2OTk2OTEyMzIuMzgwMDAyNzAw",
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTE2NjAtMTY5OTY5MTIwNy45NTI4MTQ4MDA="
    ],
    "process.parent.start": [
      "2023-11-11T08:41:50.689Z"
    ],
    "signal.original_event.sequence": [
      299077
    ],
    "file.Ext.malware_signature.primary.signature.name": [
      "Multi.EICAR.Not-a-virus"
    ],
    "event.risk_score": [
      73
    ],
    "host.architecture": [
      "x86_64"
    ],
    "kibana.alert.start": [
      "2023-11-11T16:51:02.405Z"
    ],
    "process.Ext.code_signature.status": [
      "trusted"
    ],
    "event.code": [
      "malicious_file"
    ],
    "kibana.alert.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "agent.id": [
      "sanitized"
    ],
    "signal.original_event.module": [
      "endpoint"
    ],
    "process.parent.code_signature.trusted": [
      true
    ],
    "signal.rule.from": [
      "now-10m"
    ],
    "kibana.alert.rule.exceptions_list.type": [
      "endpoint",
      "rule_default"
    ],
    "process.Ext.token.domain": [
      "sanitized"
    ],
    "kibana.alert.rule.enabled": [
      "true"
    ],
    "kibana.alert.ancestors.type": [
      "event"
    ],
    "signal.ancestors.index": [
      ".ds-logs-endpoint.alerts-default-2023.11.10-000007"
    ],
    "user.name": [
      "sanitized"
    ],
    "Endpoint.policy.applied.artifacts.global.version": [
      "1.0.800"
    ],
    "signal.original_event.id": [
      "NIwuns2CFY7KnSHf++++2gul"
    ],
    "file.hash.sha256": [
      "2aff03ee51a3d81ae0f29a82717cfe5ee54deafb894768b42ccd8161c15ff7b2"
    ],
    "process.uptime": [
      11
    ],
    "user.domain": [
      "sanitized"
    ],
    "process.parent.Ext.architecture": [
      "x86_64"
    ],
    "process.Ext.token.integrity_level_name": [
      "high"
    ],
    "signal.original_event.type": [
      "info",
      "start",
      "denied"
    ],
    "file.directory": [
      "C:\\PROGRAM FILES\\HCL\\NOTES"
    ],
    "process.parent.hash.md5": [
      "c1d5757a457b7c9f53855d19242a43c5"
    ],
    "kibana.alert.rule.max_signals": [
      10000
    ],
    "signal.rule.author": [
      "Elastic"
    ],
    "kibana.alert.rule.risk_score": [
      47
    ],
    "file.name": [
      "NNOTES.DLL"
    ],
    "process.Ext.token.sid": [
      "S-1-5-21-2879460198-942447916-2540470768-1156"
    ],
    "process.code_signature.status": [
      "trusted"
    ],
    "signal.original_event.dataset": [
      "endpoint.alerts"
    ],
    "kibana.alert.rule.consumer": [
      "siem"
    ],
    "kibana.alert.rule.category": [
      "Custom Query Rule"
    ],
    "event.action": [
      "load"
    ],
    "event.ingested": [
      "2023-11-11T16:47:07.000Z"
    ],
    "@timestamp": [
      "2023-11-11T16:51:02.059Z"
    ],
    "kibana.alert.original_event.action": [
      "load"
    ],
    "kibana.alert.original_event.agent_id_status": [
      "verified"
    ],
    "data_stream.dataset": [
      "endpoint.alerts"
    ],
    "signal.rule.timestamp_override": [
      "event.ingested"
    ],
    "kibana.alert.rule.execution.uuid": [
      "27c57c10-680d-4839-b24c-c572b42273f8"
    ],
    "kibana.alert.uuid": [
      "0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863"
    ],
    "process.hash.sha1": [
      "b595c7ef71a79423dfa12d8a012fae4e0d867554"
    ],
    "Endpoint.policy.applied.artifacts.user.identifiers.name": [
      "endpoint-blocklist-windows-v1",
      "endpoint-eventfilterlist-windows-v1",
      "endpoint-exceptionlist-windows-v1",
      "endpoint-hostisolationexceptionlist-windows-v1",
      "endpoint-trustlist-windows-v1"
    ],
    "signal.rule.license": [
      "Elastic License v2"
    ],
    "kibana.alert.rule.rule_id": [
      "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
    ],
    "file.path": [
      "C:\\PROGRAM FILES\\HCL\\NOTES\\NNOTES.DLL"
    ],
    "signal.rule.type": [
      "query"
    ],
    "signal.rule.rule_name_override": [
      "message"
    ],
    "kibana.alert.url": [
      "https://kali-purple.sanitized.local:5601/app/security/alerts/redirect/0cb9ede77f89e142cafe660855444480804f03a449b4c17462dd82275002e863?index=.alerts-security.alerts-default&timestamp=2023-11-11T16:51:02.059Z"
    ],
    "kibana.alert.rule.risk_score_mapping.field": [
      "event.risk_score"
    ],
    "process.pid": [
      24680
    ],
    "signal.rule.created_by": [
      "elastic"
    ],
    "signal.rule.interval": [
      "5m"
    ],
    "kibana.alert.rule.created_by": [
      "elastic"
    ],
    "kibana.alert.rule.timestamp_override": [
      "event.ingested"
    ],
    "process.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "process.parent.entity_id": [
      "MWNkZWYzZmMtMTU2Mi00ODgwLWEwZTctZDdmNTBmZWUwZDZiLTIwNzI0LTE2OTk2OTIxMTAuNjg5ODI4NDAw"
    ],
    "kibana.alert.rule.name": [
      "Malware Prevention Alert"
    ],
    "process.parent.Ext.code_signature.status": [
      "trusted"
    ],
    "host.name": [
      "sanitized"
    ],
    "event.kind": [
      "signal"
    ],
    "process.Ext.protection": [
      ""
    ],
    "process.code_signature.trusted": [
      true
    ],
    "signal.rule.created_at": [
      "2023-03-25T09:13:25.949Z"
    ],
    "kibana.alert.workflow_status": [
      "open"
    ],
    "kibana.alert.original_event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "kibana.alert.reason": [
      "malware, intrusion_detection, library event with process ndyncfg.exe, parent process nlnotes.exe, file NNOTES.DLL, by sanitized on sanitized created high alert Malware Prevention Alert."
    ],
    "process.parent.args_count": [
      3
    ],
    "data_stream.type": [
      "logs"
    ],
    "process.Ext.token.user": [
      "sanitized"
    ],
    "signal.ancestors.id": [
      "Yk5Hv4sBCfe7LkV2qyLr"
    ],
    "signal.original_time": [
      "2023-11-11T16:47:02.700Z"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "signal.rule.severity": [
      "high"
    ],
    "file.Ext.malware_signature.primary.signature.id": [
      "ac8f42d6-52da-46ec-8db1-5a5f69222a38"
    ],
    "event.created": [
      "2023-11-11T16:47:02.700Z"
    ],
    "file.extension": [
      "dll"
    ],
    "kibana.alert.depth": [
      1
    ],
    "process.parent.ppid": [
      8280
    ],
    "file.Ext.quarantine_path": [
      ""
    ],
    "process.parent.Ext.protection": [
      ""
    ],
    "file.pe.file_version": [
      "12.0.200.22306"
    ],
    "kibana.alert.rule.revision": [
      102
    ],
    "process.start": [
      "2023-11-11T16:46:51.445Z"
    ],
    "signal.rule.version": [
      "101"
    ],
    "file.pe.original_file_name": [
      ""
    ],
    "kibana.alert.status": [
      "active"
    ],
    "kibana.alert.last_detected": [
      "2023-11-11T16:51:02.405Z"
    ],
    "kibana.alert.rule.severity_mapping.field": [
      "event.severity",
      "event.severity",
      "event.severity",
      "event.severity"
    ],
    "kibana.alert.original_event.dataset": [
      "endpoint.alerts"
    ],
    "process.parent.code_signature.exists": [
      true
    ],
    "file.hash.sha1": [
      "b37ae7837aed007375f321d37866290aeb608870"
    ],
    "kibana.alert.rule.rule_type_id": [
      "siem.queryRule"
    ],
    "signal.rule.rule_id": [
      "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
    ],
    "process.executable": [
      "C:\\Program Files\\HCL\\Notes\\ndyncfg.exe"
    ],
    "kibana.alert.original_event.severity": [
      73
    ],
    "process.parent.code_signature.subject_name": [
      "HCL America Inc."
    ],
    "process.parent.executable": [
      "C:\\Program Files\\HCL\\Notes\\nlnotes.exe"
    ],
    "process.args_count": [
      3
    ],
    "kibana.alert.rule.updated_at": [
      "2023-09-30T08:13:05.346Z"
    ],
    "process.Ext.token.elevation": [
      true
    ],
    "data_stream.namespace": [
      "default"
    ],
    "kibana.alert.rule.author": [
      "Elastic"
    ],
    "file.size": [
      41242624
    ],
    "process.Ext.code_signature.exists": [
      true
    ],
    "process.parent.args": [
      "NLNOTES.EXE",
      "/authenticate",
      "=C:\\Program Files\\HCL\\Notes\\notes.ini"
    ],
    "signal.original_event.action": [
      "load"
    ],
    "kibana.alert.rule.created_at": [
      "2023-03-25T09:13:25.949Z"
    ],
    "signal.rule.to": [
      "now"
    ],
    "file.code_signature.exists": [
      false
    ],
    "event.type": [
      "info",
      "start",
      "denied"
    ],
    "process.command_line": [
      "\"C:\\Program Files\\HCL\\Notes\\ndyncfg.EXE\" 16 \"\""
    ],
    "kibana.alert.rule.exceptions_list.id": [
      "endpoint_list",
      "2de2b0e0-5f69-11ee-9b2e-01bfe334e22c"
    ],
    "event.dataset": [
      "endpoint.alerts"
    ],
    "kibana.alert.original_time": [
      "2023-11-11T16:47:02.700Z"
    ]
  }
}

ferullo · January 10, 2024, 12:28pm

Yeah that works. Thanks.

That alert shows the Multi.EICAR.Not-a-virus signature is matching. That signature detects EICAR (https://www.eicar.org/download-anti-malware-testfile/), a standard testing file used by Antimalware software (like Endpoint) to enable developers and users to verify that malware detection works without requiring any actually malicious software. It seems that HCL Notes has a copy of EICAR in its executable which is why you're getting alerts. Creating an alert exception for this signature matching on Notes is a good solution to your problem.

GKre · January 11, 2024, 3:41pm

thank you @ferullo,

i saw this info but could not believe that a company is including an EICAR into a component of it's product. Also - why does Microsoft Defender does not recognize this?
Well - i will now open up a ticket with HCL to get to know what they say about the issue.
Have a good time ...

system · February 8, 2024, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.