alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP API Request to Events Endpoint with X-Public-Key header"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/v1/counter/"; startswith; content:"|3f|events=|2f|"; within:150; http.header; content:"X-Public-Key|3a 20|"; fast_pattern; pcre:"/^(?:\x22|\x27)[A-Za-z0-9]{32}/R"; classtype:misc-activity; sid:2060656; rev:1; metadata:affected_product Any, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_03_06, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, updated_at 2025_03_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:src_ip;)