From 3c4a383947e9afc6ea2a80b40ff269a18df5ec62 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Tue, 28 Jul 2020 09:30:48 -0400 Subject: [PATCH] Add list_id to exceptions_list and remove endgame:* from external alerts (#98) --- rules/promotions/elastic_endpoint.toml | 1 + rules/promotions/external_alerts.toml | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index d1500ea75..77c27483a 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -32,6 +32,7 @@ event.kind:alert and event.module:(endpoint and not endgame) [[rule.exceptions_list]] id = "endpoint_list" +list_id = "endpoint_list" namespace_type = "agnostic" type = "endpoint" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index e2fa2ed37..ed0b613ab 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -7,10 +7,10 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert for each external alert written to the configured indices. Enabling -this rule allows you to immediately begin investigating external alerts in the app. +Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to +immediately begin investigating external alerts in the app. """ -index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" license = "Elastic License" max_signals = 10000 @@ -57,3 +57,4 @@ operator = "equals" value = "99" severity = "critical" +