security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add list_id to exceptions_list and remove endgame:* from external alerts (#98)

Browse Source
This commit is contained in:
Yara Tercero
2020-07-28 09:30:48 -04:00
committed by GitHub
parent 978a8d9df8
commit 3c4a383947
2 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/promotions/elastic_endpoint.toml
+1
View File
@@ -32,6 +32,7 @@ event.kind:alert and event.module:(endpoint and not endgame)
[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"
rules/promotions/external_alerts.toml
+4 -3
View File
@@ -7,10 +7,10 @@ updated_date = "2020/07/08"
[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each external alert written to the configured indices. Enabling
this rule allows you to immediately begin investigating external alerts in the app.
Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
immediately begin investigating external alerts in the app.
"""
index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
language = "kuery"
license = "Elastic License"
max_signals = 10000
@@ -57,3 +57,4 @@ operator = "equals"
value = "99"
severity = "critical"