This detection rule, titled 'Malware - Prevented - Elastic Endgame', is designed to identify events where Elastic Endgame has successfully blocked malware through its prevention mechanisms. The rule captures alerts related to file classification events that indicate a successful quarantine of files deemed malicious. The rule is set to trigger alerts based on a query that filters event kinds and modules related to endgame prevention, specifically focusing on prevention events where malicious files were classified and blocked. Its configuration allows for a maximum of 10,000 alerts per run, significantly more than the default alert cap, ensuring a broader detection range. The rule’s risk score is 73, categorizing it as high severity, necessitating prompt investigation and response by security analysts. The investigation guide provides a structured approach to analyzing alerts, validating findings against other logs, and identifying potential false positives or legitimate scenarios that may trigger the rule. Recommendations include isolating affected systems, verifying blocked files against threat intelligence, and conducting thorough sweeps to remove threats. The guidance also emphasizes updating security configurations to improve future detection efficacy against evolving threats.