Elastic Defend Alert from Package Manager Install Ancestry

calendar Mar 31, 2026 · Domain: Endpoint Use Case: Threat Detection Tactic: Initial Access Rule Type: Higher-Order Rule Resources: Investigation Guide Data Source: Elastic Defend  ·
Share on: linkedin copy

Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process has a package-manager install context in its ancestry: npm (Node.js), PyPI (pip / Python / uv), or Rust (cargo). Install-time spawn chains are a common path for supply-chain and postinstall abuse; this Higher-Order rule surfaces Defend alerts whose process tree includes such activity for prioritization.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/03/31"
  3maturity = "production"
  4min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3."
  5min_stack_version = "9.3.0"
  6updated_date = "2026/03/31"
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process has a
 12package-manager install context in its ancestry: npm (Node.js), PyPI (pip / Python / uv), or Rust (cargo). Install-time
 13spawn chains are a common path for supply-chain and postinstall abuse; this Higher-Order rule surfaces Defend alerts
 14whose process tree includes such activity for prioritization.
 15"""
 16from = "now-9m"
 17language = "esql"
 18license = "Elastic License v2"
 19name = "Elastic Defend Alert from Package Manager Install Ancestry"
 20note = """## Triage and analysis
 21
 22### Investigating Elastic Defend Alert from Package Manager Install Ancestry
 23
 24Elastic Defend raised an alert on a process whose ancestry includes a parent that was involved in a package install
 25(npm, pip/PyPI, or cargo/crates.io). That can indicate malicious postinstall scripts, dependency confusion, or
 26compromised packages.
 27
 28### Possible investigation steps
 29
 30- Identify the install context by finding a process whose `entity_id` appears in `Esql.pkg_ancestor_ids` (intersection
 31  with `process.Ext.ancestry`).
 32- Review `process.command_line` and `process.parent.command_line` for the install command and any script hooks
 33  (e.g. `preinstall`, `postinstall`, `setup.py`, build scripts).
 34- Correlate package name, registry, and lockfile or manifest on the host if available.
 35- Pivot on host, user, and network for additional alerts or outbound connections from the same tree.
 36
 37### False positive analysis
 38
 39- Normal `npm install`, `pip install`, and `cargo build` / `cargo install` during development or CI can produce alerts
 40  on descendant processes. Tune by excluding known-safe Defend rule names, paths, or command-line patterns.
 41
 42### Response and remediation
 43
 44- If abuse is confirmed: remove the suspect package, rotate secrets exposed to that environment, and block related IOCs.
 45"""
 46references = [
 47    "https://attack.mitre.org/techniques/T1195/",
 48    "https://attack.mitre.org/techniques/T1195/002/",
 49]
 50risk_score = 99
 51rule_id = "344e6c7d-ceb0-4f20-ba04-7c75569a7e38"
 52severity = "critical"
 53tags = [
 54    "Domain: Endpoint",
 55    "Use Case: Threat Detection",
 56    "Tactic: Initial Access",
 57    "Rule Type: Higher-Order Rule",
 58    "Resources: Investigation Guide",
 59    "Data Source: Elastic Defend",
 60]
 61timestamp_override = "event.ingested"
 62type = "esql"
 63
 64query = '''
 65FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _version, _index
 66
 67| EVAL is_pkg_install = CASE(
 68    // npm  npx  yarn  pnpm (Node.js ecosystem)
 69    process.parent.name IN ("node", "node.exe") AND (
 70      process.parent.command_line LIKE "*npm install*" OR
 71      process.parent.command_line LIKE "*npm i *" OR
 72      ends_with(process.parent.command_line, "npm i") OR
 73      process.parent.command_line LIKE "*npx *" OR
 74      process.parent.command_line LIKE "*yarn install*" OR
 75      process.parent.command_line LIKE "*yarn add*" OR
 76      process.parent.command_line LIKE "*pnpm install*" OR
 77      process.parent.command_line LIKE "*pnpm add*" OR
 78      process.parent.command_line LIKE "*npm-cli.js*install*" OR
 79      process.parent.command_line LIKE "*setup.js*"
 80    ), true,
 81
 82    // pip  pip3 pipx poetry  uv (Python ecosystem)
 83    ((process.parent.name like "python*" or process.parent.name like "pip*" or process.parent.name IN ("uv", "uv.exe") ) AND (
 84      process.parent.command_line LIKE "*pip install*" OR
 85      process.parent.command_line LIKE "*pip3 install*" OR
 86      process.parent.command_line LIKE "*-m pip install*" OR
 87      process.parent.command_line LIKE "*setup.py install*" OR
 88      process.parent.command_line LIKE "*setup.py develop*" OR
 89      process.parent.command_line LIKE "*pipx install*" OR
 90      process.parent.command_line LIKE "*poetry install*" OR
 91      process.parent.command_line LIKE "*poetry add*" OR
 92      process.parent.command_line LIKE "*uv pip install*" OR
 93      process.parent.command_line LIKE "*uv add*")), true,
 94
 95    // cargo (Rust / crates.io ecosystem)
 96    process.parent.name IN ("cargo", "cargo.exe", "rustc", "rustc.exe") AND (
 97      process.parent.command_line LIKE "*cargo install*" OR
 98      process.parent.command_line LIKE "*cargo build*" OR
 99      process.parent.command_line LIKE "*cargo run*" OR
100      process.parent.command_line LIKE "*cargo fetch*"), true,
101
102    false
103  )
104
105| WHERE process.Ext.ancestry IS NOT NULL AND (event.dataset == "endpoint.alerts" OR is_pkg_install)
106
107// Capture entity_ids for package install parent processes
108| EVAL all_entity_id = CASE(is_pkg_install, process.parent.entity_id, "null")
109
110// Collect all package install entity_ids globally
111| INLINE STATS all_pkg_entity_ids = VALUES(all_entity_id) WHERE all_entity_id != "null"
112
113// Find which package install entity_ids appear in this process's ancestry
114| EVAL Esql.pkg_ancestor_ids = MV_INTERSECTION(all_pkg_entity_ids, process.Ext.ancestry)
115
116// Elastic Defend alerts descended from a package install process
117| WHERE Esql.pkg_ancestor_ids IS NOT NULL AND event.dataset == "endpoint.alerts"
118
119| KEEP *
120'''
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1195"
126name = "Supply Chain Compromise"
127reference = "https://attack.mitre.org/techniques/T1195/"
128[[rule.threat.technique.subtechnique]]
129id = "T1195.002"
130name = "Compromise Software Supply Chain"
131reference = "https://attack.mitre.org/techniques/T1195/002/"
132
133[rule.threat.tactic]
134id = "TA0001"
135name = "Initial Access"
136reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Investigating Elastic Defend Alert from Package Manager Install Ancestry

Elastic Defend raised an alert on a process whose ancestry includes a parent that was involved in a package install (npm, pip/PyPI, or cargo/crates.io). That can indicate malicious postinstall scripts, dependency confusion, or compromised packages.

Possible investigation steps

  • Identify the install context by finding a process whose entity_id appears in Esql.pkg_ancestor_ids (intersection with process.Ext.ancestry).
  • Review process.command_line and process.parent.command_line for the install command and any script hooks (e.g. preinstall, postinstall, setup.py, build scripts).
  • Correlate package name, registry, and lockfile or manifest on the host if available.
  • Pivot on host, user, and network for additional alerts or outbound connections from the same tree.

False positive analysis

  • Normal npm install, pip install, and cargo build / cargo install during development or CI can produce alerts on descendant processes. Tune by excluding known-safe Defend rule names, paths, or command-line patterns.

Response and remediation

  • If abuse is confirmed: remove the suspect package, rotate secrets exposed to that environment, and block related IOCs.

References

Related rules

to-top