Initial Access (TA0001)(external, opens in a new tab or window)
text code block:FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _version, _index | EVAL is_pkg_install = CASE( // npm npx yarn pnpm (Node.js ecosystem) process.parent.name IN ("node", "node.exe") AND ( process.parent.command_line LIKE "*npm install*" OR process.parent.command_line LIKE "*npm i *" OR ends_with(process.parent.command_line, "npm i") OR process.parent.command_line LIKE "*npx *" OR process.parent.command_line LIKE "*yarn install*" OR process.parent.command_line LIKE "*yarn add*" OR process.parent.command_line LIKE "*pnpm install*" OR process.parent.command_line LIKE "*pnpm add*" OR process.parent.command_line LIKE "*npm-cli.js*install*" OR process.parent.command_line LIKE "*setup.js*" ), true, // pip pip3 pipx poetry uv (Python ecosystem) ((process.parent.name like "python*" or process.parent.name like "pip*" or process.parent.name IN ("uv", "uv.exe") ) AND ( process.parent.command_line LIKE "*pip install*" OR process.parent.command_line LIKE "*pip3 install*" OR process.parent.command_line LIKE "*-m pip install*" OR process.parent.command_line LIKE "*setup.py install*" OR process.parent.command_line LIKE "*setup.py develop*" OR process.parent.command_line LIKE "*pipx install*" OR process.parent.command_line LIKE "*poetry install*" OR process.parent.command_line LIKE "*poetry add*" OR process.parent.command_line LIKE "*uv pip install*" OR process.parent.command_line LIKE "*uv add*")), true, // cargo (Rust / crates.io ecosystem) process.parent.name IN ("cargo", "cargo.exe", "rustc", "rustc.exe") AND ( process.parent.command_line LIKE "*cargo install*" OR process.parent.command_line LIKE "*cargo build*" OR process.parent.command_line LIKE "*cargo run*" OR process.parent.command_line LIKE "*cargo fetch*"), true, false ) | WHERE process.Ext.ancestry IS NOT NULL AND (event.dataset == "endpoint.alerts" OR is_pkg_install) // Capture entity_ids for package install parent processes | EVAL all_entity_id = CASE(is_pkg_install, process.parent.entity_id, "null") // Collect all package install entity_ids globally | INLINE STATS all_pkg_entity_ids = VALUES(all_entity_id) WHERE all_entity_id != "null" // Find which package install entity_ids appear in this process's ancestry | EVAL Esql.pkg_ancestor_ids = MV_INTERSECTION(all_pkg_entity_ids, process.Ext.ancestry) // Elastic Defend alerts descended from a package install process | WHERE Esql.pkg_ancestor_ids IS NOT NULL AND event.dataset == "endpoint.alerts" | KEEP *
Install detection rules in Elastic Security
Detect Elastic Defend Alert from Package Manager Install Ancestry in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).