event.category:(network or network_traffic) and network.protocol:http and
(url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
I wrote 2 scripts 1 in Python and 1 in PowerShell both cases give no alert
url = 'https://getsamplefiles.com/download/rar/sample-1.rar'
filename = 'file.rar'
response = requests.get(url)
with open(filename, 'wb') as f:
In order to execute, those files must be extracted from the archive, written to disk, then opened by their respective applications. Endpoint scans supported file types when they are written and/or opened. Endpoint doesn't attempt to scan compressed archives because the performance overhead can be significant, and efficacy is limited because trivial bypasses via password encryption are ubiquitous these days.
Endpoint doesn't intercept/MITM TLS connections (HTTPS) either. It provides IP-level reporting for such connections. For HTTPS connections, the URL is transmitted inside the encrypted stream. The encryption is performed inside the user-mode application, and its contents are not visible to our kernel driver. That rule mentions HTTP - have you tried the same download without TLS?