[FR] Add max_signal note, unit test, and rule tuning (#3669)
This commit is contained in:
Mika Ayenson
@@ -4,7 +4,7 @@ integration = ["cloud_defend"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Initial version of the Container Workload Protection alerts"
|
||||
min_stack_version = "8.8.0"
|
||||
updated_date = "2023/06/22"
|
||||
updated_date = "2024/05/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -22,6 +22,15 @@ name = "Container Workload Protection"
|
||||
risk_score = 47
|
||||
rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
|
||||
rule_name_override = "message"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"]
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/06/22"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -23,6 +23,15 @@ name = "Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
|
||||
rule_name_override = "message"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Defend"]
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Credential Dumping - Detected - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Credential Dumping - Prevented - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Adversary Behavior - Detected - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Malware - Detected - Elastic Endgame"
|
||||
risk_score = 99
|
||||
rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "critical"
|
||||
tags = ["Data Source: Elastic Endgame"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Malware - Prevented - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Ransomware - Detected - Elastic Endgame"
|
||||
risk_score = 99
|
||||
rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "critical"
|
||||
tags = ["Data Source: Elastic Endgame"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Ransomware - Prevented - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Exploit - Detected - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Exploit - Prevented - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/07/08"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -20,6 +20,15 @@ name = "External Alerts"
|
||||
risk_score = 47
|
||||
rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
|
||||
rule_name_override = "message"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"]
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Credential Manipulation - Detected - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Credential Manipulation - Prevented - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Permission Theft - Detected - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Permission Theft - Prevented - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Process Injection - Detected - Elastic Endgame"
|
||||
risk_score = 73
|
||||
rule_id = "80c52164-c82a-402c-9964-852533d58be1"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "high"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/05/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
@@ -21,6 +21,15 @@ max_signals = 10000
|
||||
name = "Process Injection - Prevented - Elastic Endgame"
|
||||
risk_score = 47
|
||||
rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
|
||||
setup = """## Setup
|
||||
|
||||
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
|
||||
|
||||
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
|
||||
|
||||
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
|
||||
|
||||
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
|
||||
severity = "medium"
|
||||
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
|
||||
type = "query"
|
||||
|
||||
+26
-1
@@ -147,6 +147,30 @@ class TestValidRules(BaseRuleTest):
|
||||
with self.assertRaises(ValidationError):
|
||||
build_rule(query=query, from_field="now-10m", interval="10m")
|
||||
|
||||
def test_max_signals_note(self):
|
||||
"""Ensure the max_signals note is present when max_signals > 1000."""
|
||||
max_signal_standard_setup = 'This rule is configured to generate more **Max alerts per run** than the ' \
|
||||
'default 1000 alerts per run set for all rules. This is to ensure that it ' \
|
||||
"captures as many alerts as possible.\n\n**IMPORTANT:** The rule's " \
|
||||
'**Max alerts per run** setting can be superseded by the ' \
|
||||
'`xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines ' \
|
||||
'the maximum alerts generated by _any_ rule in the Kibana alerting framework. ' \
|
||||
'For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule ' \
|
||||
'will still generate no more than 1000 alerts even if its own **Max alerts per ' \
|
||||
'run** is set higher.\n\nTo make sure this rule can generate as many alerts as ' \
|
||||
"it's configured in its own **Max alerts per run** setting, increase the " \
|
||||
'`xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** ' \
|
||||
'Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless ' \
|
||||
'projects.'
|
||||
for rule in self.all_rules:
|
||||
if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000:
|
||||
error_message = f'{self.rule_str(rule)} note required for max_signals > 1000'
|
||||
self.assertIsNotNone(rule.contents.data.setup, error_message)
|
||||
if max_signal_standard_setup not in rule.contents.data.setup:
|
||||
self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n'
|
||||
f'Expected: {max_signal_standard_setup}\n\n'
|
||||
f'Actual: {rule.contents.data.setup}')
|
||||
|
||||
|
||||
class TestThreatMappings(BaseRuleTest):
|
||||
"""Test threat mapping data for rules."""
|
||||
@@ -870,7 +894,8 @@ class TestIntegrationRules(BaseRuleTest):
|
||||
note_str = integration_notes.get(integration)
|
||||
|
||||
if note_str:
|
||||
self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information')
|
||||
error_message = f'{self.rule_str(rule)} note required for config information'
|
||||
self.assertIsNotNone(rule.contents.data.note, error_message)
|
||||
|
||||
if note_str not in rule.contents.data.note:
|
||||
self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n'
|
||||
|
||||
Reference in New Issue
Block a user